Hackers Use WebAssembly Miner to Avoid Detection

WebAssembly Miner
Written by Emma Davis

Sucuri experts recently discovered 207 sites infected with a malicious cryptocurrency miner, whose work is based on the use of WebAssembly (Wasm) in the browser.

Let me remind you that we talked about the fact that Mining botnet Vollgar bruteforced Microsoft SQL servers for two years, and also that Cloud Botnet of 8220 Group Infected 30,000 Hosts for Cryptocurrency Mining.

Analysts say they launched the investigation after one of Sucuri’s clients’ computers became noticeably slower after switching to the company’s own WordPress-powered portal. The investigation quickly uncovered a compromised theme file that was injected with malicious JavaScript code from a remote server (hxxps://wm.bmwebm[.]org/auto.js) that was loaded every time a page on the site was accessed.

After decoding, the content of the auto.js file immediately demonstrates its functionality as a cryptominer, which starts mining cryptocurrency as soon as a visitor enters a hacked site.experts say.

Moreover, it turned out that the deobfuscated auto.js uses WebAssembly to run low-level binary code directly in the browser. The researchers note that this is a very smart move from hackers. For example, the Wasm binary format makes it difficult to detect and analyze with conventional antivirus solutions, and this attack method can be used not only by miners, but, for example, by web skimmers, which can go unnoticed for long periods of time.

WebAssembly Miner

When used in a browser, Wasm runs in its own isolated environment. Because it’s already compiled into assembly format, the browser can read and execute at speeds that JavaScript can’t match.explains Sucuri.

It is noted that the domain of the attackers (wm.bmwebm[.]org) was registered back in January 2021, which means that the malicious infrastructure has been working for more than 1.5 years without attracting any attention.

The domain could also automatically generate JavaScript files that masquerade as seemingly harmless files or regular services, including Google Ads (such as adservicegoogle.js or wordpresscore.js) to mask their malicious behavior.

This functionality allows an attacker to inject scripts into various places on a hacked site, while maintaining the appearance that these injections are a normal part of the environment.analysts say.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.