A new way of extracting cryptocurrencies using JavaScript in the browser

For many years, cybercriminals have been using the fact of digging cryptocurrencies to earn money. For this purpose, they usually use malicious software or potentially unwanted applications installed on victims' computers. Experts from ESET have analyzed a new way of extracting cryptocurrencies using JavaScript in a web browser.

The user can obtain a cryptocurrency by buying it, but he can also independently "dig" further coins, using for this purpose the computing power of computers on which the software for this purpose has been installed. This time, cybercriminals, knowing that the default settings of most browsers include JavaScript enabled, put a script to excavate cryptocurrencies on websites that generate high traffic, then to earn not just cyber, but real money.

It is easier to reach more users through infected websites than by direct infection of the operating system. In this case, the attackers injected scripts on sites with high traffic, mainly attacking users from Russia, Ukraine, Belarus, Moldova and Kazakhstan - says Kamil Sadkowski, a threat analyst at ESET.

To extract Feathercoin cryptocurrencies, Litecoin and Monero, hackers injected malicious JavaScript code into video streaming sites and websites that allow online gaming, because users on such sites spend more time, allowing longer scripts and more computing power for their computers. As analysts from ESET show, this extraction method is less effective because it is up to two times slower compared to the standard method. A larger number of users compensates for this loss.

Most infections broken down by country.

Scheme of using malicious scripts to dig cryptocurrency.


The main method of distributing "mining scripts" is malvertising. Typically, this involves buying traffic from the Display Network and distributing malicious JavaScript code instead of traditional advertising. Most of the parties involved in these incidents allow you to watch movies and play online. This makes sense because users spend more time digging crypts, which they do not even realize. In addition, such sites consume more CPU power, which additionally masks the actions of cheaters.

Websites involved in digging cryptocurrencies.

The 100% CPU load on the wotsite [.] Net page can not be a coincidence.

ESET warns against disregarding the threat. Enabling the detection of potentially unsafe applications and potentially unwanted applications (PUAs) in an antivirus program is one of the basic steps to safeguard yourself. Updating to a newer version of the software installed on your computer, including web browsers and antivirus programs, is just as obvious. However, one of the better methods of defending against malicious scripts on websites is blocking them, including advertisements, using the "uBlock" plugin. On the other hand, the installation of the "NoScript" plugin that blocks the scripts on websites may disable some of the features of websites, but in the hands of technically advanced users it will be an excellent form of security.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.