Monero mining malware hits 3,500+ sites as cryptojacking attacks make a comeback

Source Cryptopolitan

Cryptojacking attacks are back again, compromising more than 3,500 websites and silently hijacking users’ browsers to mine Monero, a privacy-focused cryptocurrency. The campaign was uncovered by cybersecurity firm c/side on Tuesday, almost seven years after defunct service Coinhive was shut down after popularizing the tactic since 2017.

According to c/side researchers, the malware is hidden in obfuscated JavaScript code that silently deploys a miner when users visit an infected site. Once a visitor lands on the compromised page, the script quietly evaluates the device’s computing power. Then it launches parallel Web Workers in the background to perform mining operations, without the user’s consent.

By throttling processor usage and routing communication through WebSocket streams, the miner avoids detection, hiding behind normal browser traffic. “The goal is to siphon resources over time, like a digital vampire persistently,” c/side analysts explained.

How the cryptojacking code operates

c/side found a code inserted on a website through a third-party JavaScript file loaded from https://www.yobox[.]store/karma/karma.js?karma=bs?nosaj=faster.mo. Instead of directly mining Monero on initial execution, it first checks if the user’s browser supports WebAssembly, a standard for running applications with high processing demands. 

The code then gauges if the device is suitable for mining, and spins up background Web Workers dubbed “worcy,” which handle the mining tasks discreetly and leave the main browser thread undisturbed. Commands and mining intensity levels are inserted from a command-and-control (C2) server via WebSocket connections. 

The hosting domain of the JavaScript miner has previously been linked to Magecart campaigns, infamous for stealing payment card details. This could mean the group behind the current campaign have a history in cybercrime. 

Threat spreads through website exploits

In recent weeks, cybersecurity sleuths have discovered several client-side attacks on websites running on WordPress. The researchers spotted infection methods that embed malicious JavaScript or PHP code into WP sites.

Cryptojacking hits markets, Monero miner malware targets 3,500+ sites
Coinhive short url. Source: Malwarebytes.com

Attackers have started abusing Google’s OAuth system by embedding JavaScript in callback parameters tied to URLs such as “accounts.google.com/o/oauth2/revoke.” The redirect takes browsers through a cloaked JavaScript payload that establishes a WebSocket connection to the bad actor’s server.

Another method injects scripts via Google Tag Manager (GTM), which is then directly embedded into WordPress database tables like wp_options and wp_posts. This script silently redirects users to over 200 spam domains. 

Other approaches include changes in WordPress’s wp-settings.php files to fetch payloads from ZIP archives hosted on remote servers. Once activated, these scripts infect a site’s SEO rankings and add content to improve visibility for scam websites.

In one case, code was injected into a theme’s footer PHP script, causing a browser to redirect a user to malicious websites. Another involved a fake WordPress plugin named after the infected domain that detects when search engine crawlers visit the page. It would then spam content to manipulate search engine rankings, still hidden from human visitors.

C/side mentioned how Gravity Forms plugin versions 2.9.11.1 and 2.9.12 were compromised and distributed through the official plugin site in a supply chain attack. The tampered versions contact an external server to fetch additional payloads and attempt to create an administrative account on the WordPress site.

In Fall 2024, the US Agency for International Development (USAID) fell victim to cryptojacking after Microsoft alerted the agency to a breached administrator account in a test environment. The attackers used a password spray attack to access the system, then created a second account for crypto mining operations via USAID’s Azure cloud infrastructure.

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot

Disclaimer: For information purposes only. Past performance is not indicative of future results.
placeholder
Ripple Price Forecast: XRP slips as investors lock in $300M profit ahead of Fed Chair Powell's speechXRP fell 3% to $2.85 on Thursday as investors booked over $300 million in profits following hawkish Federal Open Market Committee (FOMC) minutes from its July meeting.
Author  FXStreet
Yesterday 01: 24
XRP fell 3% to $2.85 on Thursday as investors booked over $300 million in profits following hawkish Federal Open Market Committee (FOMC) minutes from its July meeting.
placeholder
Ethereum Price Forecast: ETH risks selloff as supply in profit tops 90% ahead of Powell's speechEthereum's (ETH) large percentage of supply in profit could stir selling activity as hawkish signs continue to grow on Thursday, ahead of Federal Reserve (Fed) Chair Jerome Powell's speech at Jackson Hole.
Author  FXStreet
Yesterday 01: 29
Ethereum's (ETH) large percentage of supply in profit could stir selling activity as hawkish signs continue to grow on Thursday, ahead of Federal Reserve (Fed) Chair Jerome Powell's speech at Jackson Hole.
placeholder
Gold slips as reduced Fed rate cut bets underpin USD ahead of Powell's Jackson Hole speechGold (XAU/USD) remains under some selling pressure for the second straight day on Friday, though it manages to hold above the overnight swing low.
Author  FXStreet
Yesterday 05: 49
Gold (XAU/USD) remains under some selling pressure for the second straight day on Friday, though it manages to hold above the overnight swing low.
placeholder
Forex Today: US Dollar extends weekly uptrend ahead of Powell speech at Jackson HoleThe US Dollar (USD) stays resilient against its rivals early Friday after posting decisive gains on Thursday.
Author  FXStreet
Yesterday 07: 39
The US Dollar (USD) stays resilient against its rivals early Friday after posting decisive gains on Thursday.
placeholder
Jerome Powell expected to give clues about Fed rate path in Jackson Hole speechUS Federal Reserve (Fed) Chair Jerome Powell is scheduled to deliver a speech on “Economic Outlook and Framework Review” at the annual Jackson Hole Economic Symposium on Friday at 14:00 GMT.  
Author  FXStreet
Yesterday 09: 34
US Federal Reserve (Fed) Chair Jerome Powell is scheduled to deliver a speech on “Economic Outlook and Framework Review” at the annual Jackson Hole Economic Symposium on Friday at 14:00 GMT.  
goTop
quote