FacexWorm cryptocurrency mining virus spreads via Facebook Messenger

by Olivia Morelli - -

Facebook Messenger exploited for spreading password-stealing crypto hijacker FacexWorm

FacexWorm malware spreads via Facebook Messenger

TrendMicro[1] has revealed a cryptocurrency hijacking Google Chrome extension similar to Digmine[2] at the end of April 2018. Dubbed as FacexWorm, the malware takes advantage of the Facebook virus[3] to spread all over the world. Hacked Facebook accounts send social engineered spam links via Facebook Messenger and redirect the recipients to a rogue YouTube-themed website offering Chrome extension infected with FacexWorm JavaScript code.

The spread of FacexWorm is alerting. This piece of malware is capable of stealing passwords, injecting malicious mining codes into preferred websites, redirect to cryptocurrency scam sites or related referral programs, as well as hijack transactions and web wallets. Although the current FacexWorm strain reminds the one held in December 2017, it's far more aggressive.

FacexWorm takes advantage of gullible Facebook Messenger users

The first strain of FacexWorm malware has been revealed in August 2017 soon after Facebook users started reported cryptic Messenger messages that contain a link redirecting to unknown domains.[4] 

According to cybersecurity experts, these links can redirect to different web domains. In most of the cases, potential victims are redirected to fake YouTube website, which displays a pop-up alert urging to download Chrome's extension to view the content of the page. Typically, the website is YouTube-themed and is rather professionally designed. 

Note that it does not target non-Chrome users. The FacexWorm virus is set to scan for Chrome's entry. If it detects it, then the potential victim is redirected to hacked websites that contain misleading software installers. Anyway, the primary distribution media for the FacexWorm is Facebook Messenger with its spam. In case Chrome is not detected, the user is guided to a site filled with commercial ads. 

The scheme of the infection to unravel is quite simple. The user receives a message via Facebook Messenger and clicks on the spam links. Then he or she is exposed to a hacked website and downloads a FacexWorm instead of promoted Chrome's extension.

If the users agree to install it, it injects a malicious code into the web browser and writes down the login details that you use to connect to any website.

Germany, Tunisia, Japan, Taiwan, South Korea, and Spain are among the first victims

TrendMicro assured that they have managed to find Chrome's extensions that contain the FacexWorm installer. Each of them has been reported to Chrome's staff who, as it turned out, removed the bulk of them before the problem has been revealed.

The first attempt for the FacexWorm to spread widely has gone for nothing. The BitCoin hijacking Chrome extension managed to hijack only one Bitcoin transaction before being exposed.

As we have already pointed out, Chrome has already eliminated most of the infected extensions, thus minimizing the risk of getting infected. Unfortunately, the virus has already infected many people involved in cryptocurrency projects located in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain.

Cryptocurrency users – attention, please!

This particular malware is targeting cryptocurrency trading platforms in particular. It renders a scan, which looks for keywords in the URL, such as bitcoin, the blockchain, etherium, and similar.

The user then is being automatically redirected to a rogue “Wallet Address Verification” website, asking to send from 0.5 to 10 of Ether coins anywhere to approve the wallet address. If the user falls for believing that the transaction will end up with a reward and discloses the login credentials to his or her digital wallet, crooks hijack the portfolio and steal the entire content in it.[5] 

Apart from the scam, crooks can merely change recipient information for cryptocurrency transaction. At the moment of writing, the worm is capable of hijacking transactions helped on Poloniex, HitBTC, Bitfinex, Ethfinex, Binance, and Blockchain.info trading platforms. The following cryptocurrency types are targeted:

  • Bitcoin (BTC)
  • Bitcoin Gold (BTG)
  • Bitcoin Cash (BCH)
  • Dash (DASH)
  • ETH
  • Ethereum Classic (ETC)
  • Ripple (XRP)
  • Litecoin (LTC)
  • Zcash (ZEC)
  • Monero (XMR)[6] 

Apart from wallet and transaction hijacks, criminals may inject malicious referral links pr CPU miners. As pointed out by TrendMicro researchers, the FacexWorm miner consumes up to 20% of CPU resources. Although full capacity CPU consumption earns more revenue, the miner can be soon exposed and removed. The average consumption, in the meanwhile, grants a long-term residence on the system.

Users, no uniform method could ensure full protection from FacexWorm attack. However, the improvement of browsing habits and interest in cybersecurity news can save your day. TrendMicro says:

Think before sharing, be more prudent against unsolicited or suspicious messages, and enable tighter privacy settings for your social media accounts.

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions

References