No Comments

Over 3,500 Websites Infected with JavaScript Miners

 

JavaScript Miner

A new attack campaign Compromised more than 3,500 websites worldwide with JavaScript Cryptocurrency miners. This surge marks the return of Browser-based Cryptojacking attacks, a trend once popularized by the likes of CoinHive.

Although browser makers later banned miner-related apps and add-ons—prompting the shutdown of CoinHive—researchers from c/side Uncovered evidence of a stealthy miner. This miner, packed within obfuscated JavaScript, actively assesses the computational power of a device and then spawns background Web Workers to run mining tasks in parallel without raising any alarm.

More importantly, the operation uses WebSockets to fetch mining tasks from an external server. This approach enables the attack to dynamically adjust mining intensity based on the device’s capabilities and to throttle resource consumption for maintaining stealth.

“This was a stealth miner, designed to avoid detection by staying below the radar of both users and security tools,” security researcher Himanshu Anand said.

Consequently, users Unknowingly mine Cryptocurrency while Browsing the Compromised website, as the attack turns their devices into covert crypto generation machines without consent. However, exactly how the attackers breach these websites to facilitate in-browser mining remains unclear.

Upon further investigation, researchers confirmed that over 3,500 websites became Entangled in this Large-scale cryptojacking effort. Additionally, the domain hosting the JavaScript miner also linked to Magecart credit card skimmers in the past. This connection indicates that the attackers aim to diversify both their Payloads and revenue streams.

Moreover, the use of the same domains to deliver miners and credit/debit card Exfiltration scripts highlights the attackers’ ability to Weaponize JavaScript and orchestrate opportunistic campaigns against unsuspecting visitors.

“Attackers now prioritize stealth over brute-force resource theft, using obfuscation, WebSockets, and infrastructure reuse to stay hidden,” c/side said. “The goal isn’t to drain devices instantly, it is to persistently siphon resources over time, like a digital vampire.”

Magecart campaign

Meanwhile, the findings coincide with a Magecart skimming campaign that targets East Asian E-commerce sites using the OpenCart content management system (CMS). Attackers inject a fake payment form during Checkout, collect financial information including bank details, and exfiltrate the data to their server.

In recent weeks, client-side and website-oriented attacks have evolved into various forms—

  • Attackers embed JavaScript that abuses the callback parameter of a legitimate Google OAuth endpoint (“accounts.google[.]com/o/oauth2/revoke”), redirecting users to an obfuscated JavaScript payload that creates a Malicious WebSocket connection to an Attacker-controlled domain.
  • They inject Google Tag Manager (GTM) scripts directly into the WordPress database (i.e., wp_options and wp_posts tables) to load remote JavaScript, which then redirects visitors to over 200 spam domains.
  • By compromising a WordPress site’s wp-settings.php file, attackers include a malicious PHP script from a ZIP archive that contacts a command-and-control (C2) server. This method ultimately leverages the site’s search rankings to inject spammy content and boost sketchy sites in search results.
  • They also inject Malicious code into a WordPress theme’s footer PHP script to serve browser redirects.
  • In another tactic, they deploy a fake WordPress plugin—named after the infected domain—to avoid detection and activate only when search engine crawlers are present, thereby serving spam content to manipulate search engine results.
  • Furthermore, they distribute backdoored versions of the WordPress plugin Gravity Forms (specifically versions 2.9.11.1 and 2.9.12) via the official download page in a supply chain attack. These versions contact an external server to fetch additional Payloads and add an admin account, granting the attacker full control over the site.

Conclusion

“If installed, the malicious code modifications will block attempts to update the package and attempt to reach an external server to download additional payload,” RocketGenius, the team behind Gravity Forms, said.

“If it succeeds in executing this payload, it will then attempt to add an administrative account. That opens a back door to a range of other possible malicious actions, such as expanding remote access, additional unauthorized arbitrary code injections, manipulation of existing admin accounts, and access to stored WordPress data.”

 


Source: TheHackerNews

Read more at Impreza News

You might also like

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.