An advertising network is hiding in-browser cryptocurrency miners (cryptojacking scripts) in the ads it serves on customer sites, and has been doing so since December 2017, according to revelations made over the weekend by the Qihoo 360 Netlab team. This malicious advertising network has also found an efficient trick at avoiding users with ad blockers, a trick it use to make sure both its ads and the cryptojacker reach all intended targets. Andy Norton, Director of Threat Intelligence at Lastline commented below.
Andy Norton, Director of Threat Intelligence at Lastline:
“It’s not unexpected to see cryptojacking payloads use all the tools, techniques and procedures used by many other browser exploit or malvertising campaigns in the past. In addition the emphasis of this campaign seems to be targeted at the consumer home user rather than a corporate target. This is yet another example of the internet democratizing access to information. In this case we are seeing well documented malware domain generation algorithm tradecraft making its way into advertising networks. Previously, we have seen ransomware use nation-state developed exploit code such as EternalBlue from the Vault7 WikiLeaks dumps. As defenders, we need to pay close attention to the malicious behaviours and techniques used, regardless of attacker attribution or motive.”