Monero mining malware maligns Messenger


The popularity and resultant price increase of Bitcoin and its ilk has become a magnet for cybercrime and hackers vying to get an illicit profit from crypto mining. By utilizing the path of least resistance and preying on the vulnerabilities of the uninitiated they have taken to the easiest platform to exploit – social media.

Facebook is already an out of control web of digital detritus, clickbait, spam, and fake news. Now it’s instant Messenger service has fallen victim to an exploit which allows attackers to secretly mine cryptocurrency by harnessing the computing power of those infected. Researcher and cyber security firm Trend Micro discovered the malware which consists of a mining bot called Digmine.

It is spread via a fake video that appears to have been sent from someone in the victim’s friends list. Once opened the ‘video’ installs malicious code which will compromise the desktop version of Facebook Messenger when used with Google Chrome. Hackers then have a backdoor into the users Facebook account where they can access the contacts list to further spread the malware.

Researchers at Trend Micro stated:

“If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends. The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line.”

It currently does not affect mobile versions of Messenger as its primary target is desktops with CPU power that can be used to mine Monero, an anonymous crypto cousin of Bitcoin. The profits from this illicit computer-jacking are sent to the attacker’s encrypted Monero wallet. The software is a modified version of open source mining program XMRig which the bot sets to start automatically. This will fire up Google Chrome with an infected extension that allows the hackers to access Facebook profiles.

According to the Trend Micro team:

“The extension will read its own configuration from the Command and Control server. It can instruct the extension to either proceed with logging in to Facebook or open a fake page that will play a video. The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components.”

Officially Chrome extensions can only be downloaded from their web store but in this case the malignant code is added via the command line. This is not the first or last time mining malware has been used to exploit systems, back in October a malicious program called Coinhive was embedded into a number of compromised apps on Google Play. A new trend in crypto malware is emerging so extra caution is needed for heavy users of social media.

Leave a Reply