A New Cryptocurrency Mining Virus is Spreading Through Facebook

RESEARCH CREW
8:05 07/05/2018
facebook-malware-hacking
If you receive a link for a video, even if it looks exciting, sent by someone (or your friend) on Facebook messenger—just don't click on it without taking a second thought.Cybersecurity researchers from Trend Micro are warning users of a malicious Chrome extension which is spreading through Facebook Messenger and targeting users of cryptocurrency trading platforms to steal their accounts’ credentials.Dubbed FacexWorm, the attack technique used by the malicious extension first emerged in August last year, but researchers noticed the malware re-packed a few new malicious capabilities earlier this month.
New capabilities include stealing account credentials from websites, like Google and cryptocurrency sites, redirecting victims to cryptocurrency scams, injecting miners on the web page for mining cryptocurrency, and redirecting victims to the attacker's referral link for cryptocurrency-related referral programs.It is not the first malware to abuse Facebook Messenger to spread itself like a worm.Late last year, Trend Micro researchers discovered a Monero-cryptocurrency mining bot, dubbed Digmine, that spreads through Facebook messenger and targets Windows computers, as well as Google Chrome for cryptocurrency mining.
facebook-chrome-malware-hacking
Just like Digmine, FacexWorm also works by sending socially engineered links over Facebook Messenger to the friends of an affected Facebook account to redirect victims to fake versions of popular video streaming websites, like, YouTube.It should be noted that FacexWorm extension has only been designed to target Chrome users. If the malware detects any other web browser on the victim's computer, it redirects the user to an innocuous-looking advertisement.

How Does the FacexWorm Malware Work

If the malicious video link is opened using Chrome browser, FacexWorm redirects the victim to a fake YouTube page, where the user is encouraged to download a malicious Chrome extension as a codec extension to continue playing the video.
Once installed, FacexWorm Chrome extension downloads more modules from its command and control server to perform various malicious tasks.
"FacexWorm is a clone of a normal Chrome extension but injected with short code containing its main routine. It downloads additional JavaScript code from the C&C server when the browser is opened," the researchers said.
"Every time a victim opens a new webpage, FacexWorm will query its C&C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviors on that webpage."
Since the extension takes all the extended permissions at the time of installation, the malware can access or modify data for any websites the user opens.Here below I have listed a brief outline of what FacexWorm malware can perform: 
So far, researchers at Trend Micro have found that FacexWorm has compromised at least one Bitcoin transaction (valued at $2.49) until April 19, but they do not know how much the attackers have earned from the malicious web mining.Cryptocurrencies targeted by FacexWorm include Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR).The FacexWorm malware has been found surfacing in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain. But since Facebook Messenger is used worldwide, there are more chances of the malware being spread globally.Chrome Web Store had removed many of the malicious extensions before being notified by Trend Micro researchers, but the attackers keep uploading it back to the store.Facebook Messenger can also detect the malicious, socially engineered links and regularly block the propagation behavior of the affected Facebook accounts, researchers said.Since Facebook Spam campaigns are quite common, users are advised to be vigilant when clicking on links and files provided via the social media site platform.
TIN LIÊN QUAN
🌟 ASCIS là cuộc thi CTF thường niên lớn nhất dành cho sinh viên các nước ASEAN do Hiệp hội An toàn thông tin Việt Nam (VNISA) chủ trì phối hợp với một số đơn vị tổ chức, dưới sự bảo trợ của Bộ Giáo dục và Đào tạo, Bộ...
🚩 Cuộc thi An toàn Thông tin ISITDTU CTF 2022 do trường Đại học Duy Tân, Đà Nẵng tổ chức đã chính thức khép lại vào ngày 18/12. Hai đội purf3ct (đại diện cho CNSC @UIT) và Sp33d_0f_T1m3 (đại diện do UIT) đã có màn thi đấu ấn tượng với...
Câu nói được sử dụng làm tiêu đề trích từ câu nói của nhà Sinh lý học và Y học Horace Freeland Judson - người đoạt giải Nobel năm 1962 cho thấy tầm quan trọng của thông tin do DNA cung cấp không chỉ ở lĩnh vực y học mà...