Hackers infected thousands of websites with hidden Monero miner

The malicious code does not steal passwords or block files, but only secretly uses part of the processor's power to mine cryptocurrency. Due to load limiting and the use of WebSocket connections, the miner is practically invisible and does not cause typical symptoms of cryptojacking, which significantly complicates its detection.

Cryptojacking is unauthorized mining on other people's devices, which first became widespread after the appearance of the Coinhive service in 2017. Despite the closure of this service in 2019, the activity of this kind of malware has not disappeared, and in some cases has even increased. However, the modern approach has become more subtle: scripts run with a minimum load to avoid suspicion, a cybersecurity expert from an anonymous source told Decrypt.

Analysts at c/side described the attack process in detail. A JavaScript file (for example, karma[.]js) is added to the victim's website, which starts mining. The script checks the capabilities of the browser and device, optimizing the load, and then creates background processes. Then, using WebSockets or HTTPS, it contacts the command and control server, receiving tasks and sending the results to the hackers.

Although this malware is not aimed at stealing cryptocurrency wallets, such a possibility technically exists. The main threat is the owners of infected servers and web applications, whose resources are used for hidden mining without their consent.

Let us recall that on June 12, Kaspersky Lab experts identified a new wave of hidden mining in Russia. The hacker group Librarian Ghouls (aka Rare Werewolf) hacked hundreds of devices, using them to mine cryptocurrency without the users' permission.

Thus, modern cryptojacking methods have evolved and become more invisible, which requires website owners and users to be especially attentive and use effective means of protection against such threats.