< All articles

Hackers trying to infect Facebook Messenger with Crypto Malware

By Manmeet
Published almost 3 years ago

Bitcoin and other cryptocurrencies are very popular from last 5 – 6 months. As they become more trending they are becoming susceptible to attacks by hackers and cybercriminals who employ different ways to manipulate naïve users and their systems for their own advantage. 

Almost everybody uses Facebook messenger nowadays. A major chunk of Facebook users is not tech-savvy making the social media application a virtual stage for different scams, spam, and click bait applications. Hence it is a perfect medium for introducing and spreading malware. Malware is a single term used for “malicious software” referring viruses, Trojans, spyware and other programs which cause harm to a computer attached to a network. 

As per a recent report by The Independent, security researchers working at “Trend Micro”, a new malware that infects Facebook Messenger for stealthily and secretly mining cryptocurrencies has been found. This malware is a bot known as “Digmine”. It makes use of the CPU resources at the backend for mining Monero, which is an unidentified and an unknown coin. Monero currently trades for about $350.

The malware takes on the camouflage of a video file with the name video_xxxx.zip. It comes from one of the person who is already present in the user’s friend list and hence its real identity remains hidden. The person’s machine which acts as a transporter for the malware is already infected with the virus. As of now, this malware becomes active only through the Facebook Messenger’s, Google Chrome or desktop version and not from the mobile applications. 

Digmine serves as a backdoor for hackers to virtually enter into an unsuspecting person’s Facebook account. Once the hacker makes an entry and if the Facebook account is set to auto log-in, the contacts in the friend list are picked up for further spreading the malware. Thus, Facebook acts as a transportation medium for Digmine.

Digmine further installs an executable file called “miner.exe” which is a cryptocurrency miner and a tweaked version of the open source Monero miner known as “XMRig”. This cryptocurrency miner sits in the background, goes unnoticed and secretly mines the Monero cryptocoin. The profits obtained are then sent to the hackers. An auto-start protocol is also installed by Digmine malware infecting Chrome with a malicious extension giving full control of a person’s Facebook profile to the hacker. The hacker, in turn, uses the same to spread the malicious video file to all the friends in the contact list via messenger. 

Although Chrome extensions can only be installed using the official Chrome web store but hackers have found a way around this official protocol by starting the browser, along with the malicious extension through command line interface. 

Trend Micro has stated in this regard that this malicious extension has its very own configuration on the Command & Control Server which it reads. Thereafter an instruction can be issued to the extension for either going for logging into the Facebook account or open a counterfeit page for playing a video. This fake website on which the video is played is also adulterated in the C&C structure. It may seem like a normal video playing website but it consists of various settings and configurations for the different parts of the malware. 

Trend Micro has appealed to all heavy social media users to be a little more vigilant while using the social sites.