Resource-draining code hides in pop-under windows that can remain open indefinitely.
Over the past month or two, drive-by cryptomining has emerged as a way to generate the cryptocurrency known as Monero. Hackers harness the electricity and CPU resources of millions of unsuspecting people as they visit hacked or deceitful websites. One researcher recently documented 2,500 sites actively running cryptomining code in visitors’ browsers, a figure that, over time, could generate significant revenue. Until now, however, the covert mining has come with a major disadvantage for the attacker or website operator: the mining stops as soon as the visitor leaves the page or closes the page window.
Now, researchers from anti-malware provider Malwarebytes have identified a technique that allows the leaching to continue even after a user has closed the browser window. It works by opening a pop-under window that fits behind the Microsoft Windows taskbar and hides behind the clock. The window remains open indefinitely until a user takes special actions to close it. During that time, it continues to run code that generates Monero on behalf of the person controlling the Website.
The animated GIF image at the top of this post shows the Windows task bar on the left. On the right is the offending browser window as the user removes it from its hiding place, resizes it, and finally closes it. In a blog post published Wednesday morning, Malwarebytes Lead Malware Intelligence Analyst Jérôme Segura wrote:
This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running.
The Ad Maven ad network opens the pop-up window and loads a page hosted on elthamely[.]com. The page, in turn, loads resources from the Amazon content delivery network cloudfront.net. The Amazon resources retrieve a payload from yet another domain, hatevery[.]info.
Another way the new technique tries to conceal itself: the code running in the hidden browser window takes special care not to max out the CPU resources of the computer it’s running on. By throttling down the computationally intensive mathematical operations, the persistent mining stands a better chance of not being detected by end users.
Segura said the technique worked on the latest version of Chrome running on the latest versions of Windows 7 and Windows 10. At the moment, there are no indications the hidden window trick is being used against users of other browsers and operating systems, but don’t be surprised if that happens soon.
Listing image by Lisa Brewster / Flickr