Adware Launches In-Browser Mining Sites Pretending to be Cloudflare

Posted on May 17, 2018

Adware Launches In-Browser Mining Sites Pretending to be Cloudflare

FileTouris an adware bundle that is commonly spread as cracks or cheats for games and other software. This bundle is notorious for crossing the line between what is traditionally known as adware and PUPs and more dangerous computer infections such as password-stealing Trojans and miners. This adware bundle has started to create a Windows autorun that automatically launches Chrome and connects to a in-browser mining page when a user logs into Windows.

To make matters worse, it does it in a way that makes it so Chrome is invisible to the user. When the browser opens this page in the background, it will execute embedded JavaScript that launches a CoinCube in-browser miner script. This will cause Chrome to spike up to 70-80% CPU utilization in Task Manager as it mines cryptocurrency, even though the Windows is not visible.

As you can see, by using a headless in-browser miner window, most people will not even notice that they are infected with anything. Yes, their computer may feel slow and some might even check Task Manager and notice Chrome’s strange behavior, but for most users this miner can run for days, if not weeks, without being detected.