In a significant resurgence of cryptojacking, over 3,500 websites worldwide have been infiltrated with malicious JavaScript code designed to mine cryptocurrency without user consent. This campaign marks a return to browser-based mining tactics reminiscent of the now-defunct CoinHive service, which was widely used for unauthorized cryptocurrency mining before its shutdown in 2019.
Security researchers from c/side have uncovered that the attackers employed obfuscated JavaScript to embed stealthy mining scripts into the compromised websites. These scripts assess the computational capabilities of the visitor’s device and initiate background Web Workers to perform mining tasks concurrently. By leveraging WebSockets, the mining intensity is dynamically adjusted based on the device’s performance, ensuring that resource consumption remains below detectable thresholds. This sophisticated approach allows the mining process to operate covertly, avoiding detection by both users and security tools.
Himanshu Anand, a security researcher at c/side, emphasized the stealthy nature of the attack:
This was a stealth miner, designed to avoid detection by staying below the radar of both users and security tools.
The exact methods used to breach these websites remain unclear. However, the domain hosting the malicious JavaScript miner has previously been associated with Magecart credit card skimming activities. This connection suggests that the threat actors are diversifying their attack vectors to maximize illicit gains. By deploying both cryptojacking and credit card skimming scripts, they exploit JavaScript vulnerabilities to target unsuspecting site visitors.
The attackers’ strategy reflects a shift towards maintaining prolonged, undetected access to compromised systems. Rather than aggressively exploiting resources, they aim to siphon computational power over extended periods, akin to a digital vampire. This method ensures a steady stream of mined cryptocurrency while minimizing the risk of detection.
This campaign coincides with a Magecart skimming operation targeting East Asian e-commerce websites using the OpenCart content management system. In this scheme, attackers inject fake payment forms during the checkout process to collect sensitive financial information, including bank details, from unsuspecting customers. The stolen data is then transmitted to attacker-controlled servers for further exploitation.
Recent client-side and website-oriented attacks have manifested in various forms, including:
– JavaScript Embeds: Exploiting the callback parameter of legitimate Google OAuth endpoints to redirect users to obfuscated JavaScript payloads. These payloads establish malicious WebSocket connections to attacker-controlled domains, facilitating unauthorized activities.
– Google Tag Manager (GTM) Abuse: Injecting GTM scripts directly into WordPress databases (e.g., wp_options and wp_posts tables) to load remote JavaScript. This technique redirects visitors from over 200 sites to spam domains, compromising user experience and site integrity.
– WordPress Compromises: Modifying critical WordPress files, such as wp-settings.php, to include malicious PHP scripts. These scripts connect to command-and-control servers, leveraging the site’s search engine rankings to inject spam content and boost the visibility of malicious sites in search results.
– Theme File Injections: Embedding malicious code into a WordPress theme’s footer PHP script to execute browser redirects, leading users to unintended and potentially harmful destinations.
These incidents underscore the evolving nature of web-based attacks and the importance of robust security measures. Website administrators are urged to conduct regular security audits, keep software and plugins updated, and monitor for unauthorized changes to their sites. Implementing Content Security Policies (CSP) and Subresource Integrity (SRI) can also help mitigate the risk of such attacks by restricting the sources from which scripts can be loaded and ensuring that only trusted code is executed.
For users, employing browser extensions that block mining scripts, such as No Coin or MinerBlock, can provide an additional layer of protection against cryptojacking attempts. Staying informed about emerging threats and practicing safe browsing habits remain crucial in safeguarding personal and organizational digital assets.
