A sophisticated new attack campaign has resurfaced browser-based cryptojacking, compromising over 3,500 websites worldwide with stealthy JavaScript cryptocurrency miners. Unlike earlier, more noticeable cryptojacking attempts, this new iteration is designed for evasion. Researchers discovered a highly obfuscated JavaScript miner that intelligently assesses a device’s computational power and then employs background Web Workers to execute mining tasks in parallel. This method allows the attackers to discreetly exploit user devices for cryptocurrency generation without raising suspicion or significantly impacting performance, effectively turning unsuspecting visitors’ computers into hidden crypto-mining machines.
A key innovation in this campaign is the use of WebSockets to communicate with an external server.
This enables the miner to dynamically adjust its intensity based on the device’s capabilities, throttling resource consumption to maintain its stealthy operation. Security researchers emphasize that the primary goal of this attack is not to immediately drain a device’s resources but rather to persistently siphon them over an extended period, likening the approach to a “digital vampire.” The exact method by which these websites are initially compromised to facilitate the in-browser mining remains unknown, indicating a potentially well-concealed exploit chain.
Further analysis revealed that the domain hosting this JavaScript miner has a history of being associated with Magecart credit card skimmers. This connection suggests a strategic diversification of payloads and revenue streams by the threat actors, indicating their capability to weaponize JavaScript for various opportunistic attacks against website visitors. The reuse of infrastructure for both cryptocurrency mining and credit/debit card exfiltration scripts underscores the attackers’ agility and willingness to exploit client-side vulnerabilities for multiple malicious purposes, maximizing their illicit gains.
The emergence of this cryptojacking campaign aligns with other recent client-side and website-oriented attacks that employ diverse techniques to compromise sites and users. These include abusing legitimate Google OAuth endpoints for redirects to malicious payloads, injecting Google Tag Manager scripts into WordPress databases to redirect visitors to spam domains, and compromising core WordPress files like wp-settings.php to inject malicious PHP scripts. Attackers are also observed injecting code into WordPress theme footers for browser redirects and using fake WordPress plugins that only activate when search engine crawlers are detected, serving spam content to manipulate search rankings.
Furthermore, a significant supply chain attack has been identified involving backdoored versions of the WordPress plugin Gravity Forms. This malicious version, distributed through the official download page, attempts to block updates and reach an external server to download additional payloads. If successful, it endeavors to add an administrative account, granting the attackers complete control over the website. This provides a backdoor for a range of other malicious actions, including expanding remote access, injecting arbitrary code, manipulating existing admin accounts, and accessing stored WordPress data, highlighting the persistent and evolving threat landscape for website security.
Reference:
