Digmine Monero miner started spreading via Facebook Messenger

Crypto-mining malware spreads as a fake video link via Facebook Messenger

Digmine miner started spreading via Facebook Messenger

The Facebook virus[1] is back with a new version called Digmine. It’s a Monero[2] cryptocurrency mining malware that spreads via Facebook Messenger in South Korea, Vietnam, Azerbaijan, Philippines, Thailand, Venezuela, and Ukraine as a fake video link. However, it is expected to spread further around the world.

Digmine cryptocurrency miner only affects desktop or web versions of Facebook Messenger, and only in Google Chrome. Thus, it cannot use your mobile device to mine virtual money.

The virus follows the same scheme we have seen in previous versions of Facebook Messenger virus.[3] The malware sends a fake video link, and once clicked, malicious components are downloaded into the system. Then virus continues spreading further via victim’s contacts. However, Digmine slightly differs from other variants because it does not hijack the Facebook account.

Digmine takes advantage of Facebook auto-login feature

Usually Facebook virus compromises accounts. However, Digmine does not do that yet. Researchers from Trend Micro[4] say that structure of the virus allows adding this feature if criminals would like to. Currently, miner spreads via Messenger if a user enabled automatic login to Facebook.

When a user clicks on a compromised link, malware downloads components from its Command and Control (C&C) server to %appdata%\\<username> directory, including system infection, autostart mechanism and malicious Chrome extension.

Once the installation of Digmine’s components is over, the malware runs or relaunches Google Chrome in order to make sure that malicious extension is loaded. Then malware has two options, it either logs in to Facebook or opens a fake video streaming website that is full of malware-related entries.

However, the main task for the Digmine is to manipulate Facebook Messenger and spread a malevolent video link. The message itself does not say anything. It just drops a video link which is named following this scheme: “video_[4 random numbers].zip.

As we have mentioned, crypto-currency miner does not hack accounts. It just takes advantage of the Facebook auto-login feature. If a user has set the automatic login to Facebook, the malicious browser extension can take advantage of the situation. It downloads an additional script and interacts with Messenger in order to spread a malicious link to victim’s contact list.

Monero mining activities

The purpose of the malware is to mine virtual currency. Thus, it is created to remain on the system as long as possible and infect as many devices as possible.

During the installation, Digmine also downloads miner management component codex.exe. This file is designed to communicate with another Command and Control server. When it establishes the connection, it gets a command from C&C server to download the miner and its configuration files.

Criminals are using XMRig open-source CPU miner which is created to mine Monero. However, they made some alterations and customized it.

Facebook knows about the issue

Trend Micro reported about detected cryptocurrency mining bot spreading via Messenger to Facebook. The malicious links were immediately removed from the social network. However, miner’s functionality allows assuming that crooks might modify the link or the virus itself to strike again.

Users are advised to strengthen their social media account’s security.[5] However, Facebook also told to Trend Micro that they are willing to give additional help to victims if miner continues spreading:

“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners.”

Additionally, we want to add that social networks users should be careful with received links or files. We recommend asking the sender if he or she really wanted to share something with you before making the fatal click.

What is more, you should pay attention to the link itself. When you send a video or a link via Messenger, it usually generates a preview window. Meanwhile, the malware sends just a plain link. Thus, seeing “video_[4 random numbers].zip” file in the Messenger without a preview is a clear indicator of a malicious content.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions