Cryptocurrency Mining Malware Spreads Through FB Messenger
FacexWorm, a malware that has spread through the Facebook messenger, has impacted cryptocurrency trading platforms and web-wallets.
FacexWorm, which spread via the Facebook messenger in April, was first discovered by a Kaspersky Labs engineer in August 2017. The notable thing about this malware is that there is no efficient antidote for it. It’s reportedly a malware with sophisticated social engineering and cross-platform coordination. A report on blokt states- “Thanks to its impressively sophisticated social engineering, cross-platform coordination, and viral propagations capabilities, Trend Micro rose the FacexWorm alarm and is actively collaborating with Facebook and Google Chrome to stop the digital epidemic, so to speak.”
Trend Micro researchers were already warning users of this malware which targeted users of cryptocurrency trading platforms and stole their account credentials. Recently they have noticed the malware re-packed with some new malicious capabilities.
The Hacker News, in a report dated May 1, 2018, says- “Cybersecurity researchers from Trend Micro are warning users of a malicious Chrome extension which is spreading through Facebook Messenger and targeting users of cryptocurrency trading platforms to steal their accounts’ credentials. Dubbed FacexWorm, the attack technique used by the malicious extension first emerged in August last year, but researchers noticed the malware re-packed a few new malicious capabilities earlier this month.” The report further says- “New capabilities include stealing account credentials from websites, like Google and cryptocurrency sites, redirecting victims to cryptocurrency scams, injecting miners on the web page for mining cryptocurrency, and redirecting victims to the attacker’s referral link for cryptocurrency-related referral programs.”
Last year also Trend Micro researchers had discovered a similar kind of malware, named Digmine. Spreading through Facebook messenger, this Monero-cryptocurrency mining hits Windows computers, plus Google Chrome for cryptocurrency mining.
FacexWorm has infected crypto-traders in Germany, Spain, Japan, South Korea, Tunisia and Taiwan; as for the total amount of funds stolen, it still remains unknown.
How FacexWorm spreads…
FacexWorm, which is a clone of a Chrome Extension and which contains a short code that programs its main routine, spreads in a very interesting manner.
The blokt.com report explains how it happens- ” The malware appears in messenger and starts by displaying a fake error message that directs users to a fake YouTube page. It then tricks them into installing some Google Chrome extension. Nothing appears dubious as the attacker seems to know exactly what he is doing, and is able to publish directly on the Google Web Store. While a promotional video plays, hidden privileged access is required and obtained through this phase.”
The malware would then send links to those in the friends list. The infected links can retrieve data for any credentials when these people visit different websites; they are also redirected to cryptocurrency scams. The malware would hijack transactions, which it executes by replacing a recipient address with the attacker’s address in every web-wallet, cold wallet or active trading platform.
How to protect yourself from such attacks…
It requires a pro-active approach to prevent oneself from such attacks. The basic security measures that are adopted to protect oneself from any malware need to be adopted for FacexWorm as well. It’s best to stay wary of unverified email attachments and suspicious links sent on messenger. Moreover, it’s always advisable to keep oneself away from any suspicious cryptocurrency “faucet” website. You also need to be cautious while downloading things from the internet; malware could come in the form of word files or excel files as well. It’s also good to install an ad-blocker.