Cryptojacking Script Continues to Operate After Users Close Their Browser

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
The operator of at least one website has been spotted using small windows hidden under the user's Windows taskbar to continue to operate an in-browser miner even after the user closed the main browser window.

Discovered by Malwarebytes researcher Jerome Segura, the miscreants behind this campaign utilize a tactic known as a pop-under, a trick that allows them to spawn a new window, separate from the main browser.

Site operator hid popup under Windows taskbar
JavaScript code also allows the abusive website owners to configure the size of this window and its coordinates (position) on the user's screen.

According to Segura, this website — an adult portal— used the following formula to dynamically calculate the position of this new window.

Horizontal position = (current screen width) – 100px
Vertical position = (current screen height) – 40px
For most users, this would display a tiny window hiding under the Windows taskbar. Crooks would then load a JavaScript file inside this hidden window. This file is a customized version of the Coinhive in-browser miner, a script that would utilize the user's CPU resources to mine the Monero cryptocurrency for the crooks.
Click to expand...

Popup is hard to spot but fairly easy to remove

Unless users have transparency enabled with their OS interface, they would have no chance at spotting this hidden window, unless they went looking for rogue processes inside the Windows Task Manager.


Furthermore, unlike most other cryptojackers, the script does not utilize the user's full CPU power, but limits its activity to lower values, hoping not to induce a slowdown of the user's computer.

According to Segura, if users spot something wrong, they can use the Windows Task Manager to kill the rogue browser process associated with this window, or resize the Windows taskbar and force the window to become visible.

Window-positioning.png


How-to.gif


T
Click to expand...
 
  • Like
Reactions: spaceoctopus, upnorth, TairikuOkami and 3 others
TairikuOkami

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,643
I have sacrificed myself :giggle: to visit that webpage and do some testing.

Indeed, a popup to cloudfront.net appears in the background, it is not visible on desktop/tabs, but you can see it, looking at taskbar's preview.
Once the browser is closed, it is still opened, even when you have running background apps disabled. Hardly noticeable, unless you look at the icon.
If you notice the popup and close it manually, the CPU process stops. Mitigations: 1. Poper Blocker blocks it. 2. Blocking iframes, eg using ScriptSafe.
 

Attachments

  • capture_11292017_224741.jpg
    capture_11292017_224741.jpg
    168.7 KB · Views: 375
  • capture_11292017_230506.jpg
    capture_11292017_230506.jpg
    113.3 KB · Views: 446
  • capture_11292017_225511.jpg
    capture_11292017_225511.jpg
    44.2 KB · Views: 397
  • Like
Reactions: Prorootect, spaceoctopus, upnorth and 2 others
Prorootect

Prorootect

Level 69
Verified
Nov 5, 2011
5,855
Easy solution: Right click on taskbar/Properties/notch: Auto-hide the taskbar. Apply, OK.
TairikuOkami - I hope, that this rogue window is not attached, glued to taskbar?

Look on the image and explanation on windowscentral.com: How to auto-hide the taskbar in Windows 10

___________________________

I wrote too:
"Don't make big company games: start using serious defenses like anti-scripts... ContentBlockHelper, ScriptSafe, Script Blocker for Chrome, Policeman... NoScript... RequestPolicy Continued... and other HIPS, anti-exe... etc."

And "Blocking iframes, eg using ScriptSafe." - wrote TairikuOkami...

Your digital savior is not only our beloved ScriptSafe...
In my all anti-scripts (ContentBlockHelper and ScriptSafe above all...), I have blocked cloudfront.net, that's all.
Once blocked, would be blocked automatically forever, for all websites (and you can unblock it at any time, no problem, but no reason too...).
 
Last edited:
  • Like
Reactions: upnorth and harlan4096
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
Malware News Malware locks browser in kiosk mode to steal Google credentials
Replies
0
Views
1,509
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
Scams & Phishing News Scam-Warning: Fake Trojan alert (here shown via Facebook ads)
Replies
0
Views
1,817
Security News
Gandalf_The_Grey
Gandalf_The_Grey
silversurfer
    • Like
    • +Reputation
Malware News GHOSTENGINE Exploits Vulnerable Drivers to Disable EDRs in Cryptojacking Attack
Replies
1
Views
2,035
Security News
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top