Security firm Trend Micro has identified a new virus that spreads via Facebook Messenger. Among other things, he operates mining and collects access data for crypto trading venues. The FaceXWorm has gained access to third-party computers via a manipulated Chrome extension.
The malware is similar to the mining virus Digmine and spreads through messages in Facebook Messenger. However, FaceXWorm is much more advanced and can do more damage than Digmine. The corresponding Chrome extension is now blocked, the number of affected computers was manageable, according to the security researchers. However, this technology continues to pose a risk and can reappear in a modified form at any time.
The worm spreads over the Chrome Messenger. Victims receive a message from a friend’s account with a link first. This leads to a page that looks like YouTube but is on a completely different server. Then Chrome asks to install an extension. This is supposed to represent a codec to play the desired video. If those affected install this program, FaceXWorm can start working. He immediately connects to his command-and-control server (C & C) and executes malicious code.
Like all mining viruses, it can also use the computing power of the affected PC without being asked to dig for cryptocurrencies. For this, it uses a veiled version of the Coinhive script. In addition, the worm has a few other things in mind:
Steal credentials: If FaceXWorm detects that the user opens login pages to Google, MyMonero or Coinhive, it launches a feature. This stores the access data as you type and sends it to your C & C server.
Cryptocurrency Scam: The software recognizes when the user navigates to one of 52 interesting trading platforms or enters search words like Blockchain or Ethereum. Then she redirects traffic to a separate page offering a “lucrative” Ethereum deal.
Intervene in crypto transactions: When a victim opens a crypto trade page, the worm registers it and inserts its own wallet address into the recipient field. So far, this method was successful only once, $ 2.49 have so unlikely to change the owner, according to Trend Micro.
Manipulate referral programs: The software is able to unnoticeably redirect the user to their own referral pages when he or she navigates selected websites in the crypto area.
As with most viruses, one’s own attention is the most important precautionary tool. Unquestionably, links received from friends without any comment should not just follow suit. A look at the URL, which opens with a questionable link, is worthwhile. If it does not match the target page, the alarm bells should ring. The same applies to browser extensions that supposedly need to be installed to see certain content. When in doubt, you can always google the name of the program with the addition “virus” and see what’s behind it.
Check out our mining system: Free Registration! (One Click)