Cryptojacking Script Continues to Operate After Users Close Their Browser

[LASER_oneXM]

The operator of at least one website has been spotted using small windows hidden under the user's Windows taskbar to continue to operate an in-browser miner even after the user closed the main browser window.

Discovered by Malwarebytes researcher Jerome Segura, the miscreants behind this campaign utilize a tactic known as a pop-under, a trick that allows them to spawn a new window, separate from the main browser.

Site operator hid popup under Windows taskbar
JavaScript code also allows the abusive website owners to configure the size of this window and its coordinates (position) on the user's screen.

According to Segura, this website — an adult portal— used the following formula to dynamically calculate the position of this new window.

Horizontal position = (current screen width) – 100px
Vertical position = (current screen height) – 40px
For most users, this would display a tiny window hiding under the Windows taskbar. Crooks would then load a JavaScript file inside this hidden window. This file is a customized version of the Coinhive in-browser miner, a script that would utilize the user's CPU resources to mine the Monero cryptocurrency for the crooks.

Popup is hard to spot but fairly easy to remove

Unless users have transparency enabled with their OS interface, they would have no chance at spotting this hidden window, unless they went looking for rogue processes inside the Windows Task Manager.


Furthermore, unlike most other cryptojackers, the script does not utilize the user's full CPU power, but limits its activity to lower values, hoping not to induce a slowdown of the user's computer.

According to Segura, if users spot something wrong, they can use the Windows Task Manager to kill the rogue browser process associated with this window, or resize the Windows taskbar and force the window to become visible.

T

 

[TairikuOkami]

I have sacrificed myself to visit that webpage and do some testing.

Indeed, a popup to cloudfront.net appears in the background, it is not visible on desktop/tabs, but you can see it, looking at taskbar's preview.
Once the browser is closed, it is still opened, even when you have running background apps disabled. Hardly noticeable, unless you look at the icon.
If you notice the popup and close it manually, the CPU process stops. Mitigations: 1. Poper Blocker blocks it. 2. Blocking iframes, eg using ScriptSafe.

 

[Arequire]

50% - 60% is still substantial CPU usage. Don't know about anyone else but my system's fan noise alone would tip me off that something iffy's going on.

 

[TairikuOkami]

50% - 60% is still substantial CPU usage.

It is actually smart they did not use 100%, that would be greedy and people would not notice lagging, 50% is not that noticeable by common users and hides pretty well.

 

[Arequire]

It is actually smart they did not use 100%, that would be greedy and people would notice lagging, 50% is not that noticeable by common users and hides pretty well.

Yep. I bet an absolute ton of people have this running in the background right now, completely oblivious to its presence.

 

[upnorth]

Mitigations: 1. Poper Blocker blocks it. 2. Blocking iframes, eg using ScriptSafe.

Was it blocked automatically by ScriptSafe?

 

[Prorootect]

Easy solution: Right click on taskbar/Properties/notch: Auto-hide the taskbar. Apply, OK.
TairikuOkami - I hope, that this rogue window is not attached, glued to taskbar?

Look on the image and explanation on windowscentral.com: How to auto-hide the taskbar in Windows 10

___________________________

I wrote too:
"Don't make big company games: start using serious defenses like anti-scripts... ContentBlockHelper, ScriptSafe, Script Blocker for Chrome, Policeman... NoScript... RequestPolicy Continued... and other HIPS, anti-exe... etc."

And "Blocking iframes, eg using ScriptSafe." - wrote TairikuOkami...

Your digital savior is not only our beloved ScriptSafe...
In my all anti-scripts (ContentBlockHelper and ScriptSafe above all...), I have blocked cloudfront.net, that's all.
Once blocked, would be blocked automatically forever, for all websites (and you can unblock it at any time, no problem, but no reason too...).