A researcher pointed out that Mirus malware is the latest technique that uses CoinHive cryptomining script as payload.
In this case, malware authors seem to capitalise on scripts such as CoinHive to consume compute power of visitors’ machines for mining crypto-currencies like Monero.
The research team detected that in February, there were 20,000 instances per day of cryptomining malware activity in infected systems.
"The rising popularity of cryptocurrencies has attracted cybercriminals towards cryptocurrency mining. More and more hacking groups have diverted their attention in creating malware that can use the resources of infected endpoints to mine cryptocurrency.
"This trend will keep growing looking at the interest cryptocurrencies are generating globally and the crazy valuations they are trading at," said Sanjay Katkar, Joint Managing Director and CTO, Quick Heal Technologies Ltd.
The malware spotted by Quick Heal also injects the script into html file making it possible to “consistently run” it on the infected system. When the user runs the html file, the mining begins and stops when the html page is closed. While running, the script takes up 100 per cent of CPU usage for mining.
The malware also modifies registry entries with two lines of code which executes everytime the system starts. Registry in windows is a database that stores configuration settings of all applications, Windows settings, user passwords, details on device drives among other data.
The report also notes that the virus hijacks Windows Hosts file, which overrides DNS domain of particular computer. As a result, websites of anti-virus programmes may become inaccessible and some antivirus software may not receive updates.
Updates: The average cryptomining scripts activity per day as observed by the firm and CTO's response have been added.