Malware authors are using JavaScript code delivered via malvertising campaigns to mine different cryptocurrencies inside people's browsers, without their knowledge.

Crooks are currently deploying this technique on Russian and Ukrainian websites, but expect this trend to spread to other regions of the globe.

Malicious ads delivered on gaming and streaming sites

The way crooks pulled this off was by using an online advertising company that allows them to deploy ads with custom JavaScript code.

The JavaScript code is a modified version of MineCrunch (also known as Web Miner), a script released in 2014 that can mine cryptocurrencies using JavaScript code executed inside the browser.

Cryptocurrency mining operations are notoriously resource-intensive and tend to slow down a user's computer. To avoid raising suspicion, crooks delivered malicious ads mainly on video streaming and browser-based gaming sites.

Both types of sites use lots of resources, and users wouldn't get suspicious when their computer slowed down while accessing the site. Furthermore, users tend to linger more on browser games and video streaming services, allowing the mining script to do its job and generate profits for the crooks.

Mining operations taking place while visiting wotsite[.]net

Crooks mined Monero, Zcash, others

ESET, the security firm that discovered the malvertising campaign, says the JavaScript mining scripts were capable of mining for Monero, Feathercoin, and Litecoin.

Crooks appear to have used only the Monero mining feature. The Litecoin miner configuration was left blank, while the Feathercoin miner was left in its default config, using the same Feathercoin address from this demo page hosted on GitHub.

Furthermore, researchers also spotted a campaign that mined for Zcash. This campaign appears to have been managed by a different group, and they didn't use malicious ads but instead hosted the JavaScript mining code on the site itself. It is unclear if the site was hacked or the site's admins were knowingly hosting the Zcash miner on their domain.

Based on the number of DNS lookups for domains associated with the campaign mining Monero, ESET says the malvertising domains received as much DNS lookup traffic as Github's Gist service.

Ad blockers twarth some JavaScript mining operations

The good news is that users can protect themselves against surreptitious JS-based cryptocurrency miners hidden in ad code by using an ad blocker.

The mining operation also stops once users leave the site, and no extra clean-up is needed to remove malware from computers.

Ad blockers won't help if the JavaScript mining code loads from outside of designated ad slots/domains — the case when website owners host and load the script from their own domains.

Not the first time it happened

Browser-based miners aren't anything new. The Bitp.it service experimented with something like this in 2011, but the service eventually shut down.

In 2015, the New Jersey Attorney General’s office shut down a company called Tidbit that was offering website owners a way to mine cryptocurrency on the computers of site visitors. Authorities argued that this was illegal, on the same level as hacking, because Tidbit or website owners didn't ask for specific permission to carry out such intrusive operations.

Cryptocurrency mining is a lucrative business for malware authors. According to a recent report, at least 1.65 million computers have been infected with cryptocurrency mining malware this year so far.

Security researchers can find a breakdown of the malvertising infection chain, along with indicators of compromise, in ESET reports available here.

Image credits: Pixeden, ESET, Bleeping Computer