Notebookcheck

New cryptomining exploit continues to use your resources even after the browser window is closed

Logo of the Monero cryptocurrency, the main currency mined using the Coinhive browser-based miner. (Source: Monero)
Logo of the Monero cryptocurrency, the main currency mined using the Coinhive browser-based miner. (Source: Monero)
Malwarebytes has identified the use of pop-under windows which contain a cryptomining script to bypass adblockers and continue to run even after the user has closed the visible browser windows.

There have been several cases in the last couple of months of the Coinhive cryptomining code being used for nefarious purposes. Generally, it involves the code being implanted in an unsuspecting website or plugin and using visitor’s CPU cycles to process cryptocurrency transactions. Websites administrators can also implement the code directly themselves.

Until recently it was a safe assumption that once the offending website is closed — or the browser is shut down — the mining will stop, and the CPU load will disappear. Malwarebytes has now uncovered a method which allows attackers to create a pop-under that hides a compact browser window underneath the clock in the taskbar. When the main browser window is closed, the hidden window continues to process the cryptomining code unbeknown to the user.

Malwarebytes observations were that once a website using this method is visited the drive-by cryptomining starts. CPU activity rises noticeably (using an unidentified dual-core/non-HT CPU) but leaves enough headroom that other than an increase in fan noise the user might not notice anything unusual, once the browser is closed the high CPU activity continues unless the pop-under is found and terminated.

This method also acted in a way that bypassed adblockers and the stealth way in which it appears means that using task manager or another program designed to monitor processes are a good way to identify if any remnants of the browser remain active (users can also check for the active window icon in the taskbar). This testing was all performed using Google Chrome and although Malwarebytes says that experiences might be different using other browsers, it would stand to reason that any browser which allows the creation of a separate compact window in the background could allow this attack method.

We recommend visiting the original Malwarebytes report for additional details and explaination.

Comparison in appearance between Windows 7 and Windows 10. (Source: Malwarebytes)
Comparison in appearance between Windows 7 and Windows 10. (Source: Malwarebytes)

Source(s)

static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2017 11 > New cryptomining exploit continues to use your resources even after the browser window is closed
Craig Ward, 2017-12- 2 (Update: 2017-12- 3)
Craig Ward
Craig Ward - News Editor
I grew up in a family surrounded by technology, starting with my father loading up games for me on a Commodore 64, and later on a 486. In the late 90's and early 00's I started learning how to tinker with Windows, while also playing around with Linux distributions, both of which gave me an interest for learning how to make software do what you want it to do, and modifying settings that aren't normally user accessible. After this I started building my own computers, and tearing laptops apart, which gave me an insight into hardware and how it works in a complete system. Now keeping up with the latest in hardware and software news is a passion of mine.