"Hackers Increasingly Using WebAssembly-Coded Cryptominers to Evade Detection"

As many as 207 websites have been infected with malicious code that uses WebAssembly on the browser to launch a cryptocurrency miner. The web security company Sucuri, which revealed the details of the campaign, said it launched an investigation after a computer belonging to one of its clients slowed down significantly every time they navigated to their own WordPress portal. This revealed a compromise of a theme file to inject malicious JavaScript code from a remote server that is loaded whenever a page on the website is accessed. The contents of auto.js, once decoded, immediately reveal the functionality of a cryptocurrency miner, which begins mining when a visitor lands on the compromised site. Furthermore, the deobfuscated auto.js code uses WebAssembly to run low-level binary code directly on the browser. WebAssembly is a binary instruction format supported by all major browsers that offers performance improvements over JavaScript. It enables applications written in languages such as C, C++, and Rust to be compiled into a low-level assembly-like language that can be directly run on the browser. WebAssembly runs in its own sandboxed execution environment when used in a web browser. Since it has already been compiled into an assembly format, the browser can read and execute its operations at a rate JavaScript cannot. The actor-controlled domain is said to have been registered in January 2021, implying that the infrastructure remained operational for more than 1.5 years without being noticed. To conceal its malicious behavior, the domain can also automatically generate JavaScript files that masquerade as seemingly harmless files or legitimate services such as Google Ads (e.g., adservicegoogle.js, wordpresscore.js, and facebook-sdk.js). This functionality allows the malicious actor to inject the scripts in multiple locations on the compromised website while still giving the impression that the injections belong in the environment. This article continues to discuss the increased use of WebAssembly-coded cryptocurrency miners by cybercriminals to make detection and analysis difficult.

THN reports "Hackers Increasingly Using WebAssembly-Coded Cryptominers to Evade Detection"