Cookie Consent Script Drops In-Browser Cryptocurrency Miner

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A free-to-use script that helps website owners show EU cookie consent popups is dropping an in-browser cryptocurrency miner on websites that use it.

The hidden miner came to light today when Dutch security researcher Willem de Groot discovered it on the website of Albert Heijn, the biggest supermarket chain in the Netherlands.

Miner delivered via CookieScript.info service
At a closer look at the site's JavaScript files, de Groot tracked the infection to a file named "cookiescript.min.js," loaded from cookiescript.info. This domain is registered to the Cookie Consent service, a website that allows site owners to quickly put together a cookie consent popup that adheres to the EU's annoying cookie law.

The Cookie Consent service generates a block of code that webmasters must embed in their sites.

One of the cookie consent JavaScript files loaded through this service contained a copy of Crypto-Loot, an in-browser Monero miner.

CookieScript-source-code.png


At the time of writing, we found the Crypto-Loot-tainted JavaScript file at several URLs:

http://cookiescript.info/libs/cookiescript.min.js
https://cookiescript.cdn2.info/libs/cookieconsent.4.min.js
https://cookiescript.cdn2.info/libs/cookieconsent.5.min.js
https://cookiescript.cdn2.info/libs/cookieconsent.6.min.js
Click to expand...


Miner now removed... at least from where it counts
Administrators of the Cookie Consent service appear to have noticed the hidden miner, as the service's popup builder is now offering a version of this file that does not include the Crypto-Loot miner.

Despite this, the Cookie Consent website itself continues to load an older version of its own script, still delivering the Crypto-Loot miner.

Malwarebytes-detection.gif


CookieScript-CPU-usage.png


Webmasters who downloaded the Cookie Consent files and hosted them locally are not affected. Website owners that use the service should make sure they load a version of the script that does not load the hidden miner.
Click to expand...
 
  • Like
Reactions: cryogent, Weebarra, In2an3_PpG and 4 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • Applause
Technology Cookie Pledge: EU admits that cookie banners are annoying, suggests remedy
Replies
1
Views
662
Technology News
vtqhtr413
vtqhtr413
oldschool
    • Like
    • +Reputation
When privacy-preserving advertising measurement falls short
Replies
1
Views
328
Brave
bazang
bazang
silversurfer
    • Like
    • +Reputation
    • Applause
New shc-based Linux Malware Targeting Systems with Cryptocurrency Miner
Replies
0
Views
768
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top