Malware Spreads Cryptocurrency Miner Via Facebook Messenger

bitcoin, cryptocurrency, crypto

The Digimine malware spreads through infected attachments in messages that may appear to come from someone the target knows

Credit: Trend Micro
Digimine spreads through an infected file attached to Facebook direct messages. Credit: Trend Micro

Security researchers have warned that cryptocurrency-mining malware is spreading through Facebook Messenger via infected messages that may appear to originate from people users know.

Digimine is able to access users’ Facebook accounts and send direct messages to their friends, increasing the likelihood that targets will click on the infected attachment, said computer security firm Trend Micro.

The attachment appears to be a video file, usually named “video_xxxx.zip”, where the x’s are numeric digits, but is in fact an executable script.

While Facebook Messenger runs on a number of different platforms, the script will only run properly on one of them – the Chrome web application running on a Windows system.

Account access

If the user’s Facebook account is set to log in automatically, the malware accesses it to send direct messages. Trend said the malware is capable of receiving updates that could see it hijack users’ Facebook accounts.

When launched, Digimine alters the Windows registry so that the malware starts automatically at launch and adds a malicious browser extension to Chrome that carries out the interactions with the user’s Facebook accouns.

Chrome extensions can normally only be installed from the Chrome Web Store, a restriction Google put in place recently to boost security, but the malware gets around that block by launching Chrome along with the malicious add-on via the command line.

It may also open a website that plays a decoy video, in order to distract the user’s attention from its malicious activities.

Monero mining

One of the malware’s components downloads a tool that uses the user’s processing power to mine the Monero cryptocurrency, using open-source mining code called XMRig.

Trend said the malware is an example of criminals cashing in on recent interest in cryptocurrencies, which are generated via processor-heavy calculations.

“The increasing popularity of cryptocurrency mining is drawing attackers back to the mining botnet business,” Trend researchers said in an advisory. “Like many cybercriminal schemes, numbers are crucial – bigger victim pools equate to potentially bigger profits.”

Facebook said it had removed the links Digimine was initially using to spread.

“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger,” the company said in a statement, adding it would provide help to users who suspect their systems are infected with malware.

Trend said it expects the malware’s developers to continue to find ways to infect new users.

Digimine initially targeted users in South Korea, but has spread to countries including Vietnam, Azerbaijan, the Ukraine, Vietnam, the Philippines, Thailand and Venezuela, and is likely to spread elsewhere, Trend said.

The firm advised users to be wary of unsolicited messages and to enable privacy settings on social media.

What do you know about the history of mobile messaging? Find out with our quiz!