Clicking on videos and links in Facebook may not always be safe. Caution should always be used when opening links, especially if they are from an unknown recipient. Researchers recently reported on a malicious Chrome extension which is spreading through Facebook Messenger to target users of cryptocurrency trading platforms to steal their credentials.
The malware named FaceXWorm uses an attack technique first noticed in August of 2017 and was re-packed and circulated again in May of 2018. The new re-packed version contains capabilities to steal account credentials from websites like Google, and from cryptocurrency sites. The malware can also inject miners into the web page for mining cryptocurrency.
The malware Digimine also spreads through Facebook messenger and targets Windows computers as well as Google Chrome for cryptocurrency mining.
Details
The malware works by sending socially engineered links over Facebook Messenger to the friends of infected Facebook users. The links are to fake versions of video streaming websites like YouTube. Once redirected to the fake Youtube site, victims are prompted to download a malicious Chrome extension disguised as a code needed to play the video.
Once installed on a victim’s system FacexWorm downloads more modules from its command and control server to perform different tasks. The following list outlines some of FaceXWorm capabilities.[1]
- Steal the user’s account credentials for Google, MyMonero, and Coinhive— Once FacexWorm detects that the target website’s login page is open, it will inject a function that sends the credentials to its C&C server, 1.) after the form is filled and 2.) the login button is clicked.
- Push a cryptocurrency scam — When FacexWorm detects the user is accessing any of the 52 cryptocurrency trading platforms it targets, or if the user is keying in keywords such as “blockchain,” “eth-,” or “ethereum” in the URL, it will redirect the victim to a scam webpage. The scam entices users to send 0.5 – 10 ether (ETH) to the attacker’s wallet address for verification purposes and promises to send back 5 – 100 ETH. Users can mitigate this by simply closing the page and reopening it to restore normal access to the original website. This is because the malicious extension reserves a timestamp in the cookie that prevents redirection to the scam page within an hour. However, redirection will resume if FacexWorm’s webpages of interest are accessed again. We have so far not discovered anyone who has sent ETH to the attacker’s address.
- Conduct malicious web cryptocurrency mining— FacexWorm also injects a JavaScript miner to webpages opened by the victim. The miner is an obfuscated Coinhive script connected to a Coinhive pool. Based on the script’s settings, the miner is configured to utilize 20 percent of the affected system’s CPU power for each thread and opens four threads to mining on webpages.
- Hijack cryptocurrency-related transactions — Once the victim opens the transaction page on a cryptocurrency-related website, FacexWorm locates the address keyed in by the victim and replaces it with another specified by the attacker. FacexWorm performs this on the trading platforms Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and the wallet Blockchain.info. Cryptocurrencies targeted include Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR). When we reviewed the attacker-assigned addresses (until April 19), Wapack Labs found that only one Bitcoin transaction (valued at $2.49) had been hijacked.
- Earn from cryptocurrency-related referral programs — If the victim accesses a targeted website, FacexWorm redirects the page to the attacker-specified referral link for the same website. The attacker receives a referral incentive for every victim that registers an account. Targeted websites include Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, and HashFlare.
Crypto currencies targeted by FacexWorm include:
- BitCoin (BTC)
- BitCoin Gold (BTG)
- BitCoin Cash (BCH)
- Dash (DASH)
- ETH
- Ethereum Classic (ETC)
- Ripple (XRP)
- Litecoin (LTC)
- Zcash (ZEC)
- Monero (XMR)
The Chrome Web Store has removed many of the malicious FacexWorm extensions only to have it re-uploaded by attackers. Campaigns of this type are not unusual and Facebook users need to always research extensions before accepting them, and skeptical of links and files sent from social media platforms.
If you are interested in more information on this subject, please contact us at feedback@wapacklabs.com
[1] https://blog.trendmicro.com/trendlabs-security-intelligence/facexworm-targets-cryptocurrency-trading-platforms-abuses-facebook-messenger-for-propagation/
Comments