New Cryptocurrency Mining Virus Spreads Through Facebook

Facebook messenger

If you receive a link to a video, although it sounds exciting, sent by someone (or your friend) on Facebook Messenger – click on it without thinking.

Trend Micro’s cybersecurity researchers warn users of a malicious Chrome extension that spreads via Facebook Messenger and targets users of cryptocurrency trading platforms to steal credentials from their accounts.


Nicknamed FacexWorm, the attack technique used by the malicious extension first appeared in August of last year, but the researchers noticed that the malware had repacked some new malicious features earlier this month.
New features include stealing site information, such as Google and cryptocurrency sites, redirecting victims to cryptographic scams, injecting minors into the webpage for cryptocurrency extraction, and redirecting victims to the reference link.

It is not the first malware to abuse Facebook Messenger to spread like a worm.

At the end of last year, Trend Micro researchers discovered a Monero-cryptocurrency extraction robot, named Digmine, which spreads via Facebook Messenger and targets Windows computers, as well as Google Chrome for crypto extraction. -change.

Like Digmine, FacexWorm also works by sending socially-designed Facebook Messenger links to friends on an affected Facebook account to redirect victims to fake versions of favorite video streaming sites, such as YouTube.
It should be noted that the FacexWorm extension has only been designed to target Chrome users. If the malware detects another web browser on the victim’s computer, it redirects the user to harmless advertising.

How FacexWorm Malware Works

If the malicious video link is opened using the Chrome browser, FacexWorm redirects the victim to a fake YouTube page, where the user is prompted to download a malicious Chrome extension as a codec extension to continue reading the video. Video.

Once installed, the FacexWorm Chrome extension downloads more modules from its command and control server to perform various malicious tasks.

“FacexWorm is a clone of a normal Chrome extension but injected with shortcode containing its main routine. It downloads additional JavaScript code from the C & C server when the browser is open,” the researchers said.
Whenever a victim opens a new web page, FacexWorm queries its C & C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviors on that web page. ”
Because the extension takes all the extended permissions at installation time, the malware can access or modify the data of all Web sites opened by the user.

Below, I listed a brief overview of what FacexWorm malware can do:

  • It spread like a worm, the malware requests an OAuth access token from the victim’s Facebook account, then automatically using the victim’s friend list and sending that fake malicious video link.
  • Steal user account credentials for Google, MyMonero, and Coinhive, when the malware detects that the victim has opened the login page of the target website.
  • FacexWorm also injects a cryptocurrency minor to open Web pages by the victim, which uses the CPU power of the victim computer to extract Cryptocurrency for the attackers.
  • FacexWorm even hijacks the cryptocurrency transactions of the user by locating the address entered by the victim and replacing it with the address provided by the attacker.
  • When the malware detects that the user has accessed one of the 52 cryptocurrency trading platforms or keywords such as “blockchain,” “eth-” or “ethereum” in the URL, FacexWorm will redirect the victim to a coin cryptocurrency scam page. Targeted platforms include Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, as well as the portfolio.
  • To avoid detection or removal, the FacexWorm extension immediately closes the open tab when it detects that the user is opening the Chrome extensions management page.
  • The attacker also receives a referral incentive whenever a victim registers an account on Binance, DigitalOcean,, or HashFlare.
ALSO READ  Real-world Resource Tokenization: Bringing Trillions Of Dollars To The Blockchain

So far, Trend Micro researchers have discovered that FacexWorm has compromised at least one Bitcoin transaction (valued at $ 2.49) until April 19, but they do not know how much the attackers gained through exploration Malicious Web.

Cryptocurrencies targeted by FacexWorm include Bitcoin (BTC), Bitcoin Gold (BTG), Cash Bitcoin (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR).

FacexWorm malware has been discovered in Germany, Tunisia, Japan, Taiwan, South Korea and Spain. However, since Facebook Messenger is used around the world, it is more likely that the malware is distributed worldwide.

Chrome Web Store has removed many malicious extensions before being notified by Trend Micro researchers, but hackers continue to download them to the store.

Facebook Messenger can also detect malicious, socially-engineered links and regularly block the propagation behavior of the relevant Facebook accounts, according to the researchers.
Because Facebook spam campaigns are quite common, users should be careful when clicking on links and files provided through the social media site platform.

Also published on Medium.