Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
FacexWorm Spreads via Facebook Messenger, Malicious Chrome Extension
#1
[Image: FacexWorm.png]


Quote:Facebook, Chrome, and cryptocurrency users should be on the lookout for a new malware strain named FacexWorm that infects victims for the purpose of stealing passwords, stealing cryptocurrency funds, running cryptojacking scripts, and spamming Facebook users.

This new strain was spotted in late April by Trend Micro researchers and appears to be related to two other Facebook Messenger spam campaigns, one that took place last August, and another one from December 2017, the latter spreading the Digmine malware.

Researchers say FacexWorm's modus operandi is similar to the previous two campaigns, but with the addition of new techniques aimed at cryptocurrency users.

How FacexWorm spreads and infects users
The infection chain has remained the same and usually starts with users receiving link spam via Facebook Messenger.

Clicking the link leads users to a web page mimicking YouTube, which tries to trick the user into installing a YouTube-themed Chrome extension.

Trend Micro says it analyzed this extension and found numerous malicious functions. For starters, the rogue extension adds code to users' Chrome browsers to steal login credentials from login forms.

This behavior isn't active on all sites, but only when users are accessing Google, Coinhive, or MyMonero web accounts. Collected credentials are sent to the FacexWorm gang's servers.

FacexWorm redirects users to scam pages

Second, the rogue FacexWorm extension automatically redirects users to a web page pushing a cryptocurrency scam, asking users to send over a small Ether sum to verify their account.

The redirection takes place only when users try to access cryptocurrency-related sites. The extension comes with a list of 52 websites on which the redirection becomes active. In addition, it will also show up on sites whose URLs also include terms such as "eth," "ethereum," or "blockchain."

Third, the extension also inserts a cryptojacking mining script, loading an instance of the Coinhive in-browser miner, which mines Monero for the FacexWorm gang.

FacexWorm can also steal cryptocurrency

Fourth, the rogue extension also switches recipient information for cryptocurrency transactions on trading platforms such as Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and Blockchain.info.

Trend Micro says FacexWorm can replace details for Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR) transactions, switching the recipient's address with one owned by the FacexWorm malware creators.

According to Trend Micro, crooks didn't manage to make a profit out of this scheme, as researchers caught and reported the extension early on, and the cryptocurrency addresses associated with this campaign only recorded one transaction worth a meager $2.49.

Crooks also tried to make money via referral URLs

Last but not least, when users try to access certain sites, the FacexWorm rogue extension also redirects users to referral URLs, which is another way in which the malware authors are earning money via their infected hosts.

The referral URL redirection has been spotted for sites such as Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, and HashFlare.

Trend Micro said it had an integral role in shutting down this campaign as soon as it got started, reporting it to both Google and Facebook. The Chrome Web Store staff intervened by removing the extension, while Facebook banned domains associated with the spam messages.

SOURCE
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Ryuk ransomware now self-spreads to other Windows LAN devices mrtrout 0 814 02-26-2021 , 09:40 PM
Last Post: mrtrout
  Facebook Messenger Phishing Scam Is Letting Hackers Into Accounts, Here’s How dhruv2193 1 1,278 01-04-2021 , 08:30 AM
Last Post: tarekma7
  Wroba Mobile Banking Trojan Spreads to the U.S. via Texts mrtrout 0 886 10-31-2020 , 09:51 AM
Last Post: mrtrout
  Mac malware spreads through Xcode projects mrtrout 0 771 08-15-2020 , 10:54 PM
Last Post: mrtrout
  Sodinokibi Ransomware Spreads via Fake Forums on Hacked Sites Mohammad.Poorya 0 1,488 09-02-2019 , 07:54 PM
Last Post: Mohammad.Poorya

Forum Jump:


Users browsing this thread: 1 Guest(s)