Rise in Cryptojacking Activities
Recent reports from cybersecurity firm c/side reveal a concerning rise in cryptojacking activities, with over 3,500 websites now compromised by covert malware designed to mine Monero, a cryptocurrency known for its privacy features. This malware functions by stealthily commandeering users’ browsers, utilizing their processing power to mine Monero without their knowledge or consent. Unlike traditional malware that may lock files or steal data, this cryptomining strategy remains quiet, discreetly siphoning off processing resources.
New Tactics in Cryptojacking
The active campaign, which c/side has been tracking, cleverly avoids detection by employing techniques that throttle CPU usage and obscure network traffic through WebSocket streams. This notable shift in tactics marks a departure from previous, more disruptive cryptojacking methods. Typically, cryptojacking involves hijacking devices to harvest cryptocurrencies surreptitiously, a method that first gained notoriety in late 2017 through services like Coinhive, which was shut down two years later.
Despite mixed reports on the prevalence of cryptojacking in recent years, data suggest a recalibration and resurgence of the practice, as threat researchers have documented a subtle yet significant shift back to stealthier mining strategies. Instead of aggressive, CPU-draining scripts, today’s malware is designed to operate under the radar, staying unnoticed while generating revenue for its operators.
Integration of Malicious Code
According to an anonymous information security expert who spoke with Decrypt, vendors behind these cryptojacking attacks are likely leveraging existing access from previous compromises, specifically from earlier Magecart campaigns that involved injecting malicious code onto e-commerce platforms to steal payment details. The process to integrate the Monero mining script, as the researcher noted, was relatively simple—adding an additional script to what was already injected.
Challenges in Detection
What distinguishes this new wave of cryptojacking is its discreet operation, making traditional detection methods ineffective. Previous detection relied heavily on high CPU usage, but these new obfuscated WebAssembly miners maintain a low profile by capping resource utilization and communicating via WebSockets, which facilitates a continuous connection to servers while evading scrutiny.
Potential Risks and Vigilance
Though the mining scripts are not aimed directly at cryptocurrency users, highlighting a form of deception, their real targets are the owners of servers and web applications. The threat remains substantial, as there’s a potential risk that these scripts could evolve to include more harmful functionalities, including stealing cryptocurrencies directly. As the landscape of online security continues to evolve, webmasters and security teams must remain vigilant against these new, subtle threats to ensure their systems remain uncompromised.
