Crypto Malware Targets Facebook Messenger
As Bitcoin and cryptocurrencies become more popular hackers and cybercriminals will devise ever more devious ways to exploit unsuspecting users and their computers. Facebook is probably home to the largest number of technology challenged people on the planet which makes it such an easy platform to disseminate malware.
According to a report in The Independent, security researchers at Trend Micro have discovered malware that infects Facebook messenger in order to surreptitiously mine cryptocurrency. The mining bot, called Digmine, harnesses CPU resources in the background to mine Monero, an anonymous coin which currently trades for around $350.
The malware is disguised in a video file using the name video_xxxx.zip and will appear to come from someone in your contacts list whose machine has already been compromised. It is activated only via the desktop version of Messenger on Google Chrome and does not currently affect mobile versions of the instant chat software.
It can give hackers a backdoor into your Facebook account which can then be used to target everyone in your contacts list, spreading the malware even further. According to the cyber security firm:
If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends. The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line.
— HelpProtect.Me (@helpprotectme) December 22, 2017
Digimine primarily installs a cryptocurrency miner called miner.exe which is a modified version of an open source Monero miner known as XMRig. This silently mines the Monero cryptocoin in the background, sending profits to hackers. The bot also installs an auto-start mechanism which launches Chrome with a malicious extension that allows the attackers to access the victims’ Facebook profiles and spread the malicious video file to their friends list via Messenger.
Chrome extensions can only be installed via official Chrome Web Store, however, the hackers have bypassed this by launching the browser, along with the malicious extension, via command line.
Trend Micro went on to clarify:
The extension will read its own configuration from the C&C [command and control] server. It can instruct the extension to either proceed with logging in to Facebook or open a fake page that will play a video. The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components.
Facebook is a hotbed for scams, spam, clickbait, and malware so it pays to be a little more vigilant if you are a heavy social media user.
Have you been a victim of the Digimine malware? Were you able to remove it from your machine? Let us know in the comments below.
Images courtesy of Adam Jeffery/CNBC