A new attack campaign has compromised more than 3,500 websites worldwide with JavaScript cryptocurrency miners, marking the return of browser-based cryptojacking attacks once popularized by the likes of CoinHive.
Although the service has since shuttered after browser makers took steps to ban miner-related apps and add-ons, researchers from the c/side said they found evidence of a stealthy miner packed within obfuscated JavaScript that assesses the computational power of a device and spawns background Web Workers to execute mining tasks in parallel without raising any alarm.
More importantly, the activity has been found to leverage WebSockets to fetch mining tasks from an external server, so as to dynamically adjust the mining intensity based on the device capabilities and accordingly throttle resource consumption to maintain stealth.
“This was a stealth miner, designed to avoid detection by staying below the radar of both users and security tools,” security researcher Himanshu Anand said.
The net result of this approach is that users would unknowingly mine cryptocurrency while browsing the compromised website, turning their computers into covert crypto generation machines without their knowledge or consent. Exactly how the websites are breached to facilitate in-browser mining is currently not known.
Further dissection has determined that over 3,500 websites have been ensnared in the sprawling illicit crypto mining effort, with the domain hosting the JavaScript miner also linked to Magecart credit card skimmers in the past, indicating attempts on the part of the attackers to diversify their payloads and revenue streams.
The use of the same domains to deliver both miner and credit/debit card exfiltration scripts indicates the ability of the threat actors to weaponize JavaScript and stage opportunistic attacks aimed at unsuspecting site visitors.
“Attackers now prioritize stealth over brute-force resource theft, using obfuscation, WebSockets, and infrastructure reuse to stay hidden,” c/side said. “The goal isn’t to drain devices instantly, it is to persistently siphon resources over time, like a digital vampire.”
The findings coincide with a Magecart skimming campaign targeting East Asian e-commerce websites using the OpenCart content management system (CMS) to inject a fake payment form during checkout and collect financial information, including bank details, from victims. The captured information is then exfiltrated to the attacker’s server.
In recent weeks, client-side and website-oriented attacks have been found to take different forms –
- Utilizing JavaScript embeds that abuse the callback parameter associated with a legitimate Google OAuth endpoint (“accounts.google[.]com/o/oauth2/revoke”) to redirect to an obfuscated JavaScript payload that creates a malicious WebSocket connection to an attacker-controlled domain
- Using Google Tag Manager (GTM) script directly injected into the WordPress database (i.e., wp_options and wp_posts tables) in order to load remote JavaScript that redirects visitors to over 200 sites to spam domains
- Compromising a WordPress site’s wp-settings.php file to include a malicious PHP script directly from a ZIP archive that connects to a command-and-control (C2) server and ultimately leverages the site’s search engine rankings to inject spammy content and boost their sketchy sites in search results
- Injecting malicious code into a WordPress site theme’s footer PHP script to server browser redirects
- Using a fake WordPress plugin named after the infected domain to evade detection and spring into action only when search engine crawlers are detected in order to serve spam content designed to manipulate search engine results
- Distributing backdoored versions of the WordPress plugin Gravity Forms (affecting only versions 2.9.11.1 and 2.9.12) through the official download page in a supply chain attack that contacts an external server to fetch additional payloads and adds an admin account that gives the attacker complete control of the website
“If installed, the malicious code modifications will block attempts to update the package and attempt to reach an external server to download additional payload,” RocketGenius, the team behind Gravity Forms, said.
“If it succeeds in executing this payload, it will then attempt to add an administrative account. That opens a back door to a range of other possible malicious actions, such as expanding remote access, additional unauthorized arbitrary code injections, manipulation of existing admin accounts, and access to stored WordPress data.”
