Attackers now Abusing google DoubleClick ads and running Malvertising Champaign into high traffic website to run the coinhive crypto miner and other web-based miners that connect to some private tools.
This Malware detected as JS_COINHIVE.GN and it mainly affected countries include Japan, France, Taiwan, Italy, and Spain.
Security researchers had a close look at 5 malicious domain where the traffic has dramatically increased and finally they confirmed that the traffic coming from DoubleClick advertisements.
Also, There are 2 web miners scripts are running in the malicious webpage and the script displays in the advertisement from DoubleClick.
These affected web pages are showing legitimate Google ads at the time of two web miners performing their task.
How does Coinhive Cryptocurrency Miner Works
When Random numbers generate a variable and it will be more than 10, then it will call the script called coinhive.min.js.
It will help to mine almost 80% of CPU Power and later a private web miner will be launched.
|api[.]l33tsite[.]info||Private Webminer Domain|
|ws[.]l33tsite[.]info||Private Webminer Domain|