Monero mining malware hits 3,500+ sites as cryptojacking attacks make a comeback
The post Monero mining malware hits 3,500+ sites as cryptojacking attacks make a comeback appeared on BitcoinEthereumNews.com. Cryptojacking attacks are back again, compromising more than 3,500 websites and silently hijacking users’ browsers to mine Monero, a privacy-focused cryptocurrency. The campaign was uncovered by cybersecurity firm c/side on Tuesday, almost seven years after defunct service Coinhive was shut down after popularizing the tactic since 2017. According to c/side researchers, the malware is hidden in obfuscated JavaScript code that silently deploys a miner when users visit an infected site. Once a visitor lands on the compromised page, the script quietly evaluates the device’s computing power. Then it launches parallel Web Workers in the background to perform mining operations, without the user’s consent. By throttling processor usage and routing communication through WebSocket streams, the miner avoids detection, hiding behind normal browser traffic. “The goal is to siphon resources over time, like a digital vampire persistently,” c/side analysts explained. How the cryptojacking code operates c/side found a code inserted on a website through a third-party JavaScript file loaded from https://www.yobox[.]store/karma/karma.js?karma=bs?nosaj=faster.mo. Instead of directly mining Monero on initial execution, it first checks if the user’s browser supports WebAssembly, a standard for running applications with high processing demands. The code then gauges if the device is suitable for mining, and spins up background Web Workers dubbed “worcy,” which handle the mining tasks discreetly and leave the main browser thread undisturbed. Commands and mining intensity levels are inserted from a command-and-control (C2) server via WebSocket connections. The hosting domain of the JavaScript miner has previously been linked to Magecart campaigns, infamous for stealing payment card details. This could mean the group behind the current campaign have a history in cybercrime. Threat spreads through website exploits In recent weeks, cybersecurity sleuths have discovered several client-side attacks on websites running on WordPress. The researchers spotted infection methods that embed malicious JavaScript or PHP code into WP…
The post Monero mining malware hits 3,500+ sites as cryptojacking attacks make a comeback appeared on BitcoinEthereumNews.com.
Cryptojacking attacks are back again, compromising more than 3,500 websites and silently hijacking users’ browsers to mine Monero, a privacy-focused cryptocurrency. The campaign was uncovered by cybersecurity firm c/side on Tuesday, almost seven years after defunct service Coinhive was shut down after popularizing the tactic since 2017. According to c/side researchers, the malware is hidden in obfuscated JavaScript code that silently deploys a miner when users visit an infected site. Once a visitor lands on the compromised page, the script quietly evaluates the device’s computing power. Then it launches parallel Web Workers in the background to perform mining operations, without the user’s consent. By throttling processor usage and routing communication through WebSocket streams, the miner avoids detection, hiding behind normal browser traffic. “The goal is to siphon resources over time, like a digital vampire persistently,” c/side analysts explained. How the cryptojacking code operates c/side found a code inserted on a website through a third-party JavaScript file loaded from https://www.yobox[.]store/karma/karma.js?karma=bs?nosaj=faster.mo. Instead of directly mining Monero on initial execution, it first checks if the user’s browser supports WebAssembly, a standard for running applications with high processing demands. The code then gauges if the device is suitable for mining, and spins up background Web Workers dubbed “worcy,” which handle the mining tasks discreetly and leave the main browser thread undisturbed. Commands and mining intensity levels are inserted from a command-and-control (C2) server via WebSocket connections. The hosting domain of the JavaScript miner has previously been linked to Magecart campaigns, infamous for stealing payment card details. This could mean the group behind the current campaign have a history in cybercrime. Threat spreads through website exploits In recent weeks, cybersecurity sleuths have discovered several client-side attacks on websites running on WordPress. The researchers spotted infection methods that embed malicious JavaScript or PHP code into WP…
What's Your Reaction?
