Malware Spreads Cryptocurrency Miner Via Facebook Messenger

Digimine spreads through an infected file attached to Facebook direct messages. Credit: Trend Micro

Security researchers have warned that cryptocurrency-mining malware is spreading through Facebook Messenger via infected messages that may appear to originate from people users know.

Digimine is able to access users’ Facebook accounts and send direct messages to their friends, increasing the likelihood that targets will click on the infected attachment, said computer security firm Trend Micro.

The attachment appears to be a video file, usually named “”, where the x’s are numeric digits, but is in fact an executable script.

While Facebook Messenger runs on a number of different platforms, the script will only run properly on one of them – the Chrome web application running on a Windows system.

Account access

If the user’s Facebook account is set to log in automatically, the malware accesses it to send direct messages. Trend said the malware is capable of receiving updates that could see it hijack users’ Facebook accounts.

When launched, Digimine alters the Windows registry so that the malware starts automatically at launch and adds a malicious browser extension to Chrome that carries out the interactions with the user’s Facebook accouns.

Chrome extensions can normally only be installed from the Chrome Web Store, a restriction Google put in place recently to boost security, but the malware gets around that block by launching Chrome along with the malicious add-on via the command line.

It may also open a website that plays a decoy video, in order to distract the user’s attention from its malicious activities.

Monero mining

One of the malware’s components downloads a tool that uses the user’s processing power to mine the Monero cryptocurrency, using open-source mining code called XMRig.

Trend said the malware is an example of criminals cashing in on recent interest in cryptocurrencies, which are generated via processor-heavy calculations.

“The increasing popularity of cryptocurrency mining is drawing attackers back to the mining botnet business,” Trend researchers said in an advisory. “Like many cybercriminal schemes, numbers are crucial – bigger victim pools equate to potentially bigger profits.”

Facebook said it had removed the links Digimine was initially using to spread.

“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger,” the company said in a statement, adding it would provide help to users who suspect their systems are infected with malware.

Trend said it expects the malware’s developers to continue to find ways to infect new users.

Digimine initially targeted users in South Korea, but has spread to countries including Vietnam, Azerbaijan, the Ukraine, Vietnam, the Philippines, Thailand and Venezuela, and is likely to spread elsewhere, Trend said.

The firm advised users to be wary of unsolicited messages and to enable privacy settings on social media.

What do you know about the history of mobile messaging? Find out with our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Bitcoin Value Reaches $63,000 Record High

The value of the Bitcoin cryptocurrency continues to fluctuate, but has now surpassed $63,000 in…

10 hours ago

Iran’s Natanz Cyberattack Blamed On Israel

Second Stuxnet? Iran's Natanz nuclear facility suffered another cyberattack at the weekend, with the finger…

12 hours ago

Google Founders Larry Page, Sergey Brin Personal Fortune Grows

Share surge in Alphabet over the past year allows founders Larry Page and Sergey Brin…

14 hours ago

Apple Teases New Devices With ‘Spring Loaded’ Event

New devices to be revealed next week may include new iPads, AirTags, or even augmented…

15 hours ago

Chip Shortage – Renault To Extend Idle Factories Until September

Three of Renault's four car factories in Spain will be partly idled until end of…

18 hours ago

NHS Website Crashes Briefly Amid Rush For Vaccine Bookings

After the government authorises Covid-19 vaccines for over 45s, NHS booking website crashes briefly under…

18 hours ago