New Cryptocurrency Mining Technique Uses Pop-Under Windows to Evade Detection

In addition to embedding cryptocurrency-mining JavaScript code in websites and browser extensions, profit-motivated actors are now using “pop-under” windows to perform in-browser mining activity while attempting to evade detection. Often used in online advertising campaigns, a “pop-under” is a smaller window that is generated behind the user’s primary browsing window. When used in cryptocurrency-mining campaigns, malicious websites will generate pop-under windows containing JavaScript mining code that steal visitors’ system resources even after the primary browsing window is closed. The pop-under window hides itself behind the clock next to the Microsoft Windows taskbar to evade detection and mine cryptocurrency. If impacted, end users may experience system slowness or crashing and reduced battery life may be seen in mobile devices such as laptops and tablets. The NJCCIC recommends all Microsoft Windows users review the Malwarebytes Labs report and familiarize themselves with this new tactic. Additionally, if users suspect unauthorized mining activity is occurring, we recommend pinning the browser to the taskbar and then performing a right-click on the icon and selecting the “Close Window” option to close all browser instances.