Cybersecurity researchers from Trend Micro are alert users of a malicious Chrome extension which is spreading through Facebook Messenger in addition to targeting users of cryptocurrency trading platforms to pocket their accounts’ credentials.
Dubbed FacexWorm, the laid upward on technique used past times the malicious extension kickoff emerged inwards August terminal year, but researchers noticed the malware re-packed a few novel malicious capabilities before this month.
New capabilities include stealing work concern human relationship credentials from websites, similar Google in addition to cryptocurrency sites, redirecting victims to cryptocurrency scams, injecting miners on the spider web page for mining cryptocurrency, in addition to redirecting victims to the attacker's referral link for cryptocurrency-related referral programs.
It is non the kickoff malware to abuse Facebook Messenger to spread itself similar a worm.
Late terminal year, Trend Micro researchers discovered a Monero-cryptocurrency mining bot, dubbed Digmine, that spreads through Facebook messenger in addition to targets Windows computers, equally good equally Google Chrome for cryptocurrency mining.
It should locomote noted that FacexWorm extension has alone been designed to target Chrome users. If the malware detects whatever other spider web browser on the victim's computer, it redirects the user to an innocuous-looking advertisement.
How Does the FacexWorm Malware Work
If the malicious video link is opened using Chrome browser, FacexWorm redirects the victim to a imitation YouTube page, where the user is encouraged to download a malicious Chrome extension equally a codec extension to hold playing the video.
Once installed, FacexWorm Chrome extension downloads to a greater extent than modules from its command in addition to command server to perform diverse malicious tasks.
"FacexWorm is a clone of a normal Chrome extension but injected alongside curt code containing its principal routine. It downloads additional JavaScript code from the C&C server when the browser is opened," the researchers said.
"Every fourth dimension a victim opens a novel webpage, FacexWorm volition enquiry its C&C server to uncovering in addition to recall unopen to other JavaScript code (hosted on a Github repository) in addition to execute its behaviors on that webpage."Since the extension takes all the extended permissions at the fourth dimension of installation, the malware tin access or alteration information for whatever websites the user opens.
Here below I stimulate got listed a brief outline of what FacexWorm malware tin perform:
- To spread itself farther similar a worm, the malware requests OAuth access token for the Facebook work concern human relationship of the victim, using which it in addition to then automatically obtains the victim's friend listing in addition to sends that malicious, imitation YouTube video link to them equally well.
- Steal the user's work concern human relationship credentials for Google, MyMonero, in addition to Coinhive, when the malware detects that the victim has opened the target website’s login page.
- FacexWorm too injects cryptocurrency miner to spider web pages opened past times the victim, which utilizes the victim computer's CPU ability to mine Cryptocurrency for attackers.
- FacexWorm fifty-fifty hijacks the user's cryptocurrency-related transactions past times locating the address keyed inwards past times the victim in addition to replacing it alongside the i provided past times the attacker.
- When the malware detects the user has accessed i of the 52 cryptocurrency trading platforms or typed keywords similar "blockchain," "eth-," or "ethereum" inwards the URL, FacexWorm volition redirect the victim to a cryptocurrency scam webpage to pocket user's digital coins. The targeted platforms include Poloniex, HitBTC, Bitfinex, Ethfinex, in addition to Binance, in addition to the wallet Blockchain.info.
- To avoid detection or removal, the FacexWorm extension similar a shot closes the opened tab when it detects that the user is opening the Chrome extension administration page.
- The assailant too gets a referral incentive every fourth dimension a victim registers an work concern human relationship on Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, or HashFlare.
Cryptocurrencies targeted past times FacexWorm include Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), in addition to Monero (XMR).
The FacexWorm malware has been flora surfacing inwards Germany, Tunisia, Japan, Taiwan, South Korea, in addition to Spain. But since Facebook Messenger is used worldwide, in that place are to a greater extent than chances of the malware beingness spread globally.
Chrome Web Store had removed many of the malicious extensions before beingness notified past times Trend Micro researchers, but the attackers hold uploading it dorsum to the store.
Facebook Messenger tin too uncovering the malicious, socially engineered links in addition to regularly block the propagation conduct of the affected Facebook accounts, researchers said.
Since Facebook Spam campaigns are quite common, users are advised to locomote vigilant when clicking on links in addition to files provided via the social media site platform.
