Stealthy in-browser cryptomining continues even after you close window

In-browser cryptocurrency mining is, in theory, a neat idea: make users’ computers “mine” Monero for website owners so they don’t have to bombard users with ads in order to earn money.

Unfortunately, in this far-from-ideal world of ours, mining scripts – first offered by Coinhive but soon after by other outfits – are mostly used by unscrupulous web admins and hackers silently compromising websites.

A lucrative enterprise

As ad-blocking services and antivirus vendors began blocking Coinhive’s original script, the developers created a new API that prevents website owners from forcing the cryptomining onto their visitors without their permission.

But, as the initial API still has yet to been retired, it’s not shocking that it’s still much more popular and widespread than the second one.

AdGuard researchers recently found 33,000 websites running cryptojacking scripts, and 95% of them run the Coinhive script.

“We estimate the joint profit at over US $150,000 per month. In case of Coinhive, 70% of this sum goes to the website owner, and 30% to the mining network,” they noted.

That’s $45,000 per month for Coinhive, and over half a million if the situation were to remain unchanged. This is also the most likely reason why Coinhive has not retired the original miner script.

Keeping those browsers mining

But, as adblockers and some AV vendors are ramping up their efforts to block cryptojacking scripts from running, the crooks have to come up with new ways to keep them unnoticed. They are also testing new ways for keeping browsers open and mining even if the users leave the mining website.

Malwarebytes’ researchers detailed one of these efforts, which involves covert pup-under windows, throttled mining, and an ad network that works hard on bypassing adblockers.

The “attack” unfolds like this: the user visits a website that silently loads cryptomining code and starts mining, but throttles it so that user’s CPU power is not used up completely. This prevents the machine from slowing down and heating up, and makes it more likely that the user won’t notice the covert mining.

But, when the user leaves the site and closes the browser window, another browser window remains open, made to hide under the taskbar, and continues mining.

“If your Windows theme allows for taskbar transparency, you can catch a glimpse of the rogue window. Otherwise, to expose it you can simply resize the taskbar and it will magically pop it back up,” Malwarebytes researcher Jerome Segura explained.

browser cryptomining

The rogue pop-under window can then be closed, and the mining stopped. Unfortunately, too many users won’t notice it or notice for a while that their computer has become somewhat sluggish.

“This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself,” Segura noted.

“The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running.”

The researchers tested the scheme by using the latest version of the Google Chrome browser on Windows. Results may vary with other browsers and other operating systems.

Chrome developers have been debating whether the browser should block or flag CPU mining attempts since early September, but a decision has still not been made.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss