TOP > News > [Alert] Crypto Malware is Spreading and it is using FB Messenger Again
August 6, 2018 Updated

Trend Micro identified a malicious Chrome extension that targets cryptocurrency trading platforms and spreads by using Facebook Messenger.



Trend Micro, a cybersecurity company, identified a malicious Chrome extension called FacexWorm. It targets cryptocurrency trading platforms and spreads by using Facebook Messenger.

FacexWorm Malware targets cryptocurrency exchange sites on an infected browser. It also spreads using Facebook Messenger.

This malware has been under the radar of numerous cybersecurity companies since 2017. Trend Micro noticed a spike in the malware’s activities on April 8, 2018. It also monitored these activities from users in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain.

While the malware lists and sends links to the user’s Facebook friends in the past, it can now steal user accounts and credentials. The malicious extension can also redirect its victims to cryptocurrency scams, inject malicious mining codes, redirect victims to the attacker’s referral link, and hijack transactions by replacing the recipient’s address with the attacker’s.

How FacexWorm Spreads

FacexWorm Malware spreads through Facebook Messenger by using an infected user to send a link to another victim. After the victim clicks on the link, they will be directed to a fake YouTube page and will then be asked to install an extension (FacexWorm) in order to play the video. After installation, it will request privileges to access and change data on an opened site.

After installation and agreeing to its request to access and change data, it will download malicious codes and open Facebook, from which it will obtain the user’s friends list. The malware will use the new user to send links to all of their friends, thus beginning another cycle of users being infected.

FacexWorm Behavior

  • Steal User Account Credentials – The malware is programmed to detect a target website’s login every time the page is open. It will send the credentials to its command and control server after the login is completed and the login button is clicked.
    • Affected sites: Google, MyMonero, Coinhive
  • Cryptocurrency Scam – Every time its victim opens any of the 52 cryptocurrency exchange sites it targets, or if the victim is putting words such as blockchain, eth, or ethereum in the URL, they will be redirected to a scam webpage. The web page will ask for a 0.5 – 10 ETH for verification with the promise of sending back 5 – 100 ETH.
  • Web cryptocurrency mining – The malware administers a JavaScript mining code into the victim’s open web pages. This “miner” is configured to steal 20% of the victim’s CPU power.
  • Hijacks crypto transactions – Whenever FacexWorm detects that the victim is in a cryptocurrency website and about to make a transaction, it changes the receiving address with another specified by the attacker.
    • Affected Exchange Sites: Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance
    • Affected Cryptocurrencies: bitcoin (BTC), bitcoin gold (BTG), bitcoin cash (BCH), dash (DASH), ethereum (ETH), ethereum classic (ETC), ripple (XRP), litecoin (LTC), Zcash (ZEC), and monero (XMR).
  • Redirects to cryptocurrency-related referral programs – If the victim opens a targeted website, FacexWorm redirects its victims to the attacker-specified referral link of the same website. This gives the attacker a referral incentive.
    • Affected Sites: Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, and HashFlare.

As of this writing, Google Chrome already removed and banned cryptocurrency mining extensions in early April.

Trend Micro also advised users to think before sharing and be vigilant and prudent against suspicious messages. Another tip is to tighten their social media security settings.

Source: Trend Micro

Read More:

Also: