Researcher Jerome Segura of Malwarebytes said on Wednesday his team discovered scumbags had written some custom code to keepCoin Hive's freely available in-browser Monero miner running even after someone closes the tab or surfs to another site: it's a low-tech trick that web ads have employed for years – yes, it's a pop-under window.
The idea, said Segura, is that when you visit a site, a small hard-to-spot window is opened up. That pop-under window runs the actual mining code, rather than the main page, and is tucked under the Windows task bar.
Because of this, the site owner – or hackers who injected the code – can continue to use the victim's CPU to mine alt coins even after they have navigated away from the page or closed the main browser window entirely.
"The trick is that although the visible browser windows are closed, there is a hidden one that remains opened," Segura explained in a blog post .
"This is due to a pop-under which is sized to fit right under the taskbar and hides behind the clock. The hidden window’s coordinates will vary based on each user’s screen resolution, but follow this rule."
Malwarebytes says that in addition to using the hidden pop-under windows, the miner also tries to skirt detection by limiting its CPU use so as to avoid slowing down the machine enough to alert users. The sites hosting the miners, via embedded ads, are also designed to avoid ad-blocking tools, making it even harder to stop the illicit crypto-mining.
"Unscrupulous website owners and miscreants alike will no doubt continue to seek ways to deliver drive-by mining, and users will try to fight back by downloading more adblockers, extensions, and other tools to protect themselves," wrote Segura.
"If malvertising wasn’t bad enough as is, now it has a new weapon that works on all platforms and browsers."
There are, however, ways to catch the covert coin contraptions. Malwarebytes notes that the Windows Task Manager will show the activity as a browser process that can be ended, and the Windows taskbar will show that the browser is still running after all windows have been closed.
Once the browser application itself has been fully closed, the crypto-mining session will cease. ®