More than 3,500 websites infected with hidden Monero miners — hackers earned crypto from visitors

Hackers infected more than 3,500 websites with hidden scripts for mining Monero tokens (XMR). The malware does not steal passwords or block files. Instead, when visiting an infected website, it turns users’ browsers into Monero mining engines, using small amounts of computing power without the victims’ consent.

By limiting CPU usage and hiding traffic in WebSocket streams, hackers manage to avoid the characteristic features of traditional crypto jacking. That is, the unauthorized use of someone’s device for cryptocurrency mining. This tactic first came to the attention of the general public in late 2017 with the emergence of the Coinhive service, which was shut down in 2019.

Previously, scripts overloaded processors and slowed down devices. Now, malware goes unnoticed and mines slowly without raising suspicion.

Stages of infection:

• Malicious script injection: A JavaScript file (e.g., karma[.]js) is added to the code of a website that triggers mining.
• The script checks for WebAssembly support, device type, and browser capabilities to optimize the load.
• Creating background processes.
• The script receives mining tasks via WebSockets or HTTPS and sends the results to the C2 server (hackers’ command center).

The trustisimportant[.]fun domain is associated with both crypto jacking and Magecart campaigns (reading credit card data when placing orders in online stores). IP addresses: 89.58.14.251 and 104.21.80.1 served as command and control (C2) servers.

Source: c/side