Vulnerability Management

WebAssembly increasingly used for cryptomining

Cybercriminals have leveraged browser-based WebAssembly to compromise up to 207 websites with malicious code for cryptocurrency miner deployment, The Hacker News reports. Sucuri researchers discovered that impacted websites had a theme file compromised to facilitate the injection of the malicious JavaScript code named 'hxxps://wm.bmwebm[.]org/auto.js' that would then load upon accessing the webpage. "Once decoded, the contents of auto.js immediately reveal the functionality of a cryptominer which starts mining when a visitor lands on the compromised site," said Sucuri researcher Cesar Anjos. WebAssembly is then leveraged by the deobfuscated auto.js code to allow low-level binary code execution on the browser. The report also showed that the actor-controlled domain 'wm.bmwebm[.]org', which has been undetected for more than a year and a half, could enable automated generation of JavaScript files impersonating Google Ads and other legitimate services. "This functionality also makes it possible for the bad actor to inject the scripts in multiple locations on the compromised website and still maintain the appearance that injections 'belong' within the environment," added Anjos.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.