Cybersecurity researchers from Trend Micro are warning users of a malicious Chrome extension which is spreading through Facebook Messenger and targeting users of cryptocurrency trading platforms to steal their accounts' credentials.
Dubbed FacexWorm, the attack technique used by the malicious extension first emerged in August last year, but researchers noticed the malware re-packed a few new malicious capabilities earlier this month.
New capabilities include stealing account credentials from websites, like Google and cryptocurrency sites, redirecting victims to cryptocurrency scams, injecting miners on the web page for mining cryptocurrency, and redirecting victims to the attacker's referral link for cryptocurrency-related referral programs.
It is not the first malware to abuse Facebook Messenger to spread itself like a worm.
Late last year, Trend Micro researchers discovered a Monero-cryptocurrency mining bot, dubbed Digmine, that spreads through Facebook messenger and targets Windows computers, as well as Google Chrome for cryptocurrency mining.
It should be noted that FacexWorm extension has only been designed to target Chrome users. If the malware detects any other web browser on the victim's computer, it redirects the user to an innocuous-looking advertisement.
How Does the FacexWorm Malware Work
If the malicious video link is opened using Chrome browser, FacexWorm redirects the victim to a fake YouTube page, where the user is encouraged to download a malicious Chrome extension as a codec extension to continue playing the video.
Once installed, FacexWorm Chrome extension downloads more modules from its command and control server to perform various malicious tasks.
Here below I have listed a brief outline of what FacexWorm malware can perform:
- To spread itself further like a worm, the malware requests OAuth access token for the Facebook account of the victim, using which it then automatically obtains the victim's friend list and sends that malicious, fake YouTube video link to them as well.
- Steal the user's account credentials for Google, MyMonero, and Coinhive, when the malware detects that the victim has opened the target website's login page.
- FacexWorm also injects cryptocurrency miner to web pages opened by the victim, which utilizes the victim computer's CPU power to mine Cryptocurrency for attackers.
- FacexWorm even hijacks the user's cryptocurrency-related transactions by locating the address keyed in by the victim and replacing it with the one provided by the attacker.
- When the malware detects the user has accessed one of the 52 cryptocurrency trading platforms or typed keywords like "blockchain," "eth-," or "ethereum" in the URL, FacexWorm will redirect the victim to a cryptocurrency scam webpage to steal user's digital coins. The targeted platforms include Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and the wallet Blockchain.info.
- To avoid detection or removal, the FacexWorm extension immediately closes the opened tab when it detects that the user is opening the Chrome extension management page.
- The attacker also gets a referral incentive every time a victim registers an account on Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, or HashFlare.
Cryptocurrencies targeted by FacexWorm include Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR).
The FacexWorm malware has been found surfacing in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain. But since Facebook Messenger is used worldwide, there are more chances of the malware being spread globally.
Chrome Web Store had removed many of the malicious extensions before being notified by Trend Micro researchers, but the attackers keep uploading it back to the store.
Facebook Messenger can also detect the malicious, socially engineered links and regularly block the propagation behavior of the affected Facebook accounts, researchers said.
Since Facebook Spam campaigns are quite common, users are advised to be vigilant when clicking on links and files provided via the social media site platform.