Malvertising can do many things, a common trick is when it hijacks your browser and redirects you to another website. Similarly, it could open another browser window and send that traffic to another website. This trick is not new, we've seen and reported on it for years. It's so common you may see it today at imgur if you turn your ad blocker off. Ad networks never did quite get the hang of stopping such shenanigans, so user have blocked ads instead.
We started digging into our telemetry and found that the threat was partially distributed using malvertising. This kind of CPU-intensive task is generally prohibited by the majority of ad networks because it substantially degrades the user experience. It might seem counterintuitive to mine cryptocurrencies in the browser – we know that mining bitcoins requires a lot of CPU power – but the cybercriminals, as we will see later on, chose to mine cryptocurrencies that do not require custom hardware to mine effectively. Also, it is easier to reach a significant number of machines by “infecting” websites than it is by infecting user machines.
The websites that are targeted with this are popular video streaming and game streaming services, ensuring that the visitor and their browser stay around for as long as possible to mine.