Since our
last blog on drive-by cryptomining, we are witnessing more and more cases of abuse involving the infamous Coinhive service that allows websites to use their visitors to mine the Monero cryptocurrency.
Servers continue to get hacked with mining code, and
plugins get hijacked and affect hundreds or even thousands of sites at once.
One of the major drawbacks of web-based cryptomining we mentioned in
our paper was its ephemeral nature compared to persistent malware that can run a miner for as long as the computer remains infected. Indeed, when users close their browser, the cryptomining activity will also stop, thereby cutting out the perpetrators’ profit.
However, we have come across a technique that allows dubious website owners or attackers that have compromised sites to keep mining for Monero even after the browser window is closed. Our tests were conducted using the latest version of the Google Chrome browser. Results may vary with other browsers. What we observed was the following:
- A user visits a website, which silently loads cryptomining code.
- CPU activity rises but is not maxed out.
- The user leaves the site and closes the Chrome window.
- CPU activity remains higher than normal as cryptomining continues.
The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a
pop-under which is sized to fit right under the taskbar and hides behind the clock. The hidden window’s coordinates will vary based on each user’s screen resolution, but follow this rule:
- Horizontal position = ( current screen x resolution ) – 100
- Vertical position = ( current screen y resolution ) – 40
If your Windows theme allows for taskbar transparency, you can catch a glimpse of the rogue window. Otherwise, to expose it you can simply resize the taskbar and it will magically pop it back up:
