Hackers are spreading cryptocurrency mining malware through Facebook Messenger


Posts: 7,064   +62
Staff member

Either by choice or through hacks, drive-by cryptomining is becoming popular. The increasing price of cryptocurrencies has seen more websites surreptitiously mine Monero using visitors’ CPUs. But a newly discovered mining malware is even more malicious, and it’s being spread through Facebook Messenger.

Cybersecurity firm Trend Micro first discovered the bot, which it has dubbed Digmine, in South Korea. It has since been found in Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela. Given the way it spreads, Digmine could soon reach other countries.

Victims receive a file named ‘video_xxxx.zip’ from one of their Facebook Messenger contacts. Opening it will load Chrome along with a malicious browser extension. Extensions can only be downloaded from the Chrome Web Store, but this is bypassed using the command line.

Once the malware infects a system, a modified version of XMRig—a Monero mining tool—is installed. This mines the cryptocurrency in the background using a victim’s CPU, sending all profits back to the hackers.

Additionally, the Chrome extension is also used to spread Digmine. If someone has their Facebook account set to log in automatically, the fake video file link will be sent to all their friends via Messenger. The malware could also be used to take over a Facebook account entirely.

“The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line,” Trend Micro wrote.

The good news is that Digimine only works through the Chrome desktop version of Messenger. Right now, opening the malicious file via the Facebook/Messenger app or mobile webpage won’t have the same effect.

After Trend Micro revealed its findings, Facebook said it had taken down any links connected to Digmine.

“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger,” the company said in a statement. “If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners.”

As always, the best way to avoid malware is to avoid opening suspicious links, even when they come from your friends.

Permalink to story.

"Extensions can only be downloaded from the Chrome Web Store, but this is bypassed using the command line." So how is the victim induced to download the extension with the command line?