Zero-day malware is threatening to steal Facebook credentials

7 extensions on Google web store are found to be infected with malware

Facebook users are once again threatened by malware. This time, new campaign related to this social network was detected by Radware security team.^[1] The virus, which was dubbed Nigelthorn, enters systems via the cleverly engineered links on Facebook. Malware is capable of stealing personal data (such as credentials) and installing a malicious extension which additionally is used to mine cryptocurrency on the targeted machine. It was announced that the virus, since March 2018, has already infected over 100,000 users.

To bypass Google's validation analysis, hackers copied a legitimate extension and injected it with the malicious script so that malware could be executed without being noticed. Most targeted extensions include Nigelify, PwnerLike, and iHabno. In total, seven apps have been found to contain a malicious code of Nigelthorn. Fortunately, Google removed malevolent apps within hours of being published.

It is worth mentioning that Google Chrome users are the only ones who were affected as the malware was only injected into Chrome's extensions.

The way Nigelthorn works

As it is common with Facebook viruses,^[2] the user either receives a private message from a person in his or hers friends list or is tagged in a post which contains a malicious link. After clicking it, users are led to a fake YouTube website which is asking them to install the specific application to play the video.

If users proceed, they install an app, typically Nigelify, which extracts the malignant code and the computer gets instantaneously infected with malware. The JavaScript^[3] then downloads a configuration file from hackers' C2^[4] that includes a set of plugins (crypto miner, YouTube click bait and a code which compromises Facebook link reproduction).

In addition, Nigelthorn downloads a publicly available crypto-mining tool for a browser and starts mining Monero, Bytecoin or Electroneum on a compromised machine. It goes without saying that the CPU of the computer decreases as its usage jumps to almost 100%. Security researchers announced that cybercriminals have managed to mine nearly $1000 in over six days (mostly Monero).

Malware also starts the cycle of self-spreading. It collects relevant information to be able to spread malware on user's network. As soon as the victim clicks on the malicious link it also sends the copy of the message to a random person from the friend list. This way, malware continues spreading around.

Finally, the virus tries to steal credentials of victim's Facebook account, as well as cookie information from Instagram. If a user enters his or her credentials, this information is sent to bad actors' C2.

The Facebook virus is not going to stop infecting users

It is evident that Facebook viruses are not going anywhere as they seem to be highly successful in convincing users to click on malicious links and then infecting they systems with malware. As it is evident from recent Stresspaint^[5] and FacexWorm^[6] campaigns, cybercriminals will continue finding different ways to bypass built-in security measures. Hence, users should be extremely cautious when clicking on links, even if they seem legitimate or coming from a trusted friend.