Persistent cryptominer hides to mine after closing browser
Persistent cryptominer hides to mine after closing browser

A new drive-by cryptominer is using a unique technique which allows malicious site owners and threat actors to keep mining Monero even after closing their browser windows.

The miner uses a hidden browser window that remains open due to a pop-under, a pop up designed to load behind a user's screen, which is sized to fit under a user's task bar and hide behind the clock, Malwarebytes researchers said in a Nov. 29 blog post.

“This particular event was caught on an adult site that was already using aggressive advertising tricks,” researchers said in the post. The hidden windows coordinates vary based on each user's screen resolution but follow a formula to ensure the horizontal and vertical positions are behind the task bar.

The cryptomining script is silently loaded onto the victim's computer when a user visits a site employing the technique. The user's CPU activity increases but isn't maxed out and when the user leaves the site and closes the window, the CPU activity remains higher than normal as their resources are leached in the background.  

User's whose Windows themes allow for taskbar transparency may catch a glimpse of the rogue window situated behind the clock.  Users can also resize their taskbar and the malicious window will pop back up. The sneaky pop-under window is launched by the Ad Maven ad network and is hosted on an Amazon Web Services (AWS) server.

The miner sets itself apart from other cryptominers hosted on Amazon servers by retrieving a payload from another domain. The pop-under is designed to bypass adblockers and is harder to identify because of how it hides itself.

Researchers said more technical users should run task manager to ensure there aren't any remnants running browser processes and terminate them if there are.