Cybercriminals have infected more than 3,500 websites with scripts for covert cryptocurrency mining, according to cybersecurity firm c/side.
The malware does not steal passwords or lock files. Instead, it uses a small portion of computing power without user consent to mine Monero. The miner avoids suspicious CPU load, making it difficult to detect.
“By limiting CPU usage and disguising traffic through WebSocket connections, this script avoids the typical signs of traditional cryptojacking,” analysts noted.
Cryptojacking refers to the unauthorized use of others’ devices to mine digital assets, typically without the owners’ knowledge. This tactic emerged in 2017 with the launch of the Coinhive service, which was shut down in 2019. At that time, reports on the prevalence of such malware were conflicting: some sources reported a decline in activity, while other labs recorded a 29% increase.
Five years later, cryptojacking has returned in a more concealed form. Previously, scripts overloaded processors and slowed down devices. Now, the main strategy of the malware is to remain undetected and mine slowly without arousing suspicion, an anonymous cybersecurity expert commented to Decrypt.
c/side analysts described the main stages of the attack:
- injection of malicious script — a JavaScript file (e.g., karma[.]js) is added to the site code, initiating mining;
- checking for WebAssembly support, device type, and browser capabilities to optimize load;
- creation of background processes;
- communication with the control server — via WebSockets or HTTPS, the script receives mining tasks and sends results to the C2 server, the hackers’ command center.
The malware is not aimed at stealing cryptocurrency wallets. However, technically, hackers could exploit such a function. At risk are server and web application owners whose sites become platforms for mining.
Earlier in June, experts from Kaspersky Lab reported a new wave of covert mining in Russia. The hacker group Librarian Ghouls, also known as Rare Werewolf, compromised hundreds of Russian devices.