Hackers using Facebook messenger to mine cryptocurrency

With the increase of interest in cryptocurrency, there is also increase in the malware that is spreading to earn that digital money. Recently Trend Micro discovered a virus more precisely a bot which is spreading through Facebook messenger. Even though this is observed in korea as it is one of the most using instant messenger there is a probability of spreading all around the world

Similar cases are also found in Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand and Venezuela.

Even though facebook has cross platform support this malware is only intended to affect desktop or google chrome browser if installed. If same malware is opened on mobile, then the malware isn’t working.

Usually this malware is received in messenger as a zip file and once you open it, bham! It starts mining for cryptocurrency.

Digmine is a modified version of open source Monero-cryptocurrency miner called XMRig. When you are affected with the malware it installs this monero miner. After installing cryptominer it starts looking for chrome version and runs it with malicious extension installed because google chrome only allows installation of extensions from official store, these people bypassed it by running chrome with malicious plugin installed.

     “The extension will read its own configuration from the C&C server. It can instruct the extension to either proceed with logging in to Facebook or open a fake page that will play a video” Trend Micro researchers say.

 

    “The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components.”

If it finds any google chrome installed it opens facebook and sends all the people the malware to spread it. If goolge chrome is already running then it will relauch the app to ensure extension is loaded.

As the malware contains Contol and Command(C&C) server they can upgrade the functionality of malware as per their needs.

How it affects?

Intially when affected the configuration files will be downloaded to %appdata%\<username> directory

Then performs adding autostart mechanism for google chrome

The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components.

Must Read: Hackers are using WordPress websites to mine cryptocurrency

0 Shares

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.