Article Details

3,500 Websites Hijacked to Secretly Mine Crypto Using Stealth JavaScript and WebSocket Tactics. A new attack campaign has compromised more than 3,500 websites worldwide with JavaScript cryptocurrency miners, marking the return of browser-based cryptojacking attacks once popularized by the likes of CoinHive. Although the service has since shuttered after browser makers took steps to ban miner-related apps and add-ons, researchers from the c/side said they found evidence of a stealthy miner packed within obfuscated JavaScript that assesses the computational power of a device and spawns background Web Workers to execute mining tasks in parallel without raising any alarm. More importantly, the activity has been found to leverage WebSockets to fetch mining tasks from an external server, so as to dynamically adjust the mining intensity based on the device capabilities and accordingly throttle resource consumption to maintain stealth. "This was a stealth miner, designed to avoid detection by staying below the radar of both users and security tools," security researcher Himanshu Anand said. The net result of this approach is that users would unknowingly mine cryptocurrency while browsing the compromised website, turning their computers into covert crypto generation machines without their knowledge or consent. Exactly how the websites are breached to facilitate in-browser mining is currently not known. Further dissection has determined that over 3,500 websites have been ensnared in the sprawling illicit crypto mining effort, with the domain hosting the JavaScript miner also linked to Magecart credit card skimmers in the past, indicating attempts on the part of the attackers to diversify their payloads and revenue streams. The use of the same domains to deliver both miner and credit/debit card exfiltration scripts indicates the ability of the threat actors to weaponize JavaScript and stage opportunistic attacks aimed at unsuspecting site visitors. "Attackers now prioritize stealth over brute-force resource theft, using obfuscation, WebSockets, and infrastructure reuse to stay hidden," c/side said. "The goal isn't to drain devices instantly, it is to persistently siphon resources over time, like a digital vampire." The findings coincide with a Magecart skimming campaign targeting East Asian e-commerce websites using the OpenCart content management system (CMS) to inject a fake payment form during checkout and collect financial information, including bank details, from victims. The captured information is then exfiltrated to the attacker's server. In recent weeks, client-side and website-oriented attacks have been found to take different forms - "If installed, the malicious code modifications will block attempts to update the package and attempt to reach an external server to download additional payload," RocketGenius, the team behind Gravity Forms, said. "If it succeeds in executing this payload, it will then attempt to add an administrative account. That opens a back door to a range of other possible malicious actions, such as expanding remote access, additional unauthorized arbitrary code injections, manipulation of existing admin accounts, and access to stored WordPress data."