Other issues in this category (52)
How to hide in plain sight
So here I am sitting at my computer…
Suddenly a spider crawls out of the plastic speaker box,
takes a good look around and goes back in…
And my first thought is: That's Dr.Web…
Checking for updates…))
An old joke
We repeat the phrase “criminals keep inventing new malware concealment methods” so often, it’s high time we found a way to abbreviate it. But sometimes the techniques we discuss are not just new, but extremely novel!
Security researchers discovered how unscrupulous site owners force user CPUs to mine cryptocurrencies even after the webpages involved have been closed.
A malicious script opens an invisible pop-under located underneath the clock on the Windows taskbar.
The window remains open indefinitely unless a user takes special steps to close it.
The window's placement coordinates may vary depending on the screen resolution, but it hides behind the clock. However, this trick is not failure-proof either. If a semi-transparent theme is used in the system, the pop-under can be discovered behind the taskbar (see the screenshot at the beginning of this issue).
"This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them", wrote Malwarebytes lead analyst Jérôme Segura in that company’s blog.
The malicious procedure is performed as follows: a pop-under from elthamely[.]com is opened; then resources from Amazon (cloudfront[.]net) are loaded. After that, the payload is extracted from hatevery[.]info.
Sweep dust into the corner where no one will notice it, and voilà!
Also note that the new miner is cautious enough not to harness 100% of a system’s resources. Users may never notice that their computer is working a little bit slower than usual.
And here’s the kicker:
The security researchers accidentally discovered this technique while visiting a pornographic site.
The purpose of their visit remains unknown.
In this case Dr.Web's Parental Control acts as the anti-virus: it will block access to all the nodes the mining code attempts to contact. Of course, you can blacklist the domains communicating with the miner manually, but that won't be particularly efficient because new iterations of the malicious code will use different addresses. It’s much easier to install Dr.Web Security Space.
PS. And one more kicker: it turned out that no one knew about the Trojan!
The Anti-virus Times proposes that someone made a mistake with the infection indicator