Recently, the security researchers have discovered a new Cryptojacking Bot (malware) that has targeted users across several countries simply to infect them to deliver a Monero cryptocurrency miner and a malicious Chrome extension that simply helps it to propagate to new victims via FB Messenger.
Cryptojacking Bot ‘Digimine’ Spreading Via FB Messenger
The social network giant Facebook is known by all as one of the most popular social networks in the world. That is why when there is a malware campaign it affects many users. Today we are facing one of these news.
This new variety is called DigiMine, and is a malware that is distributed through Facebook Messenger. This is, as we know, the official Facebook instant messaging platform. It has users on different platforms for both computer and mobile devices.
DigiMine, Facebook’s new malware campaign
DigiMine installs a Monero cryptocurrency miner in the victim’s equipment. It also introduces a malicious extension of the Google Chrome browser. This helps it spread to more victims.
As we know, crypto-mining is one of the types of malware that is increasing the most lately. Cybercriminals use users’ devices to undermine these digital currencies that are so booming. This directly affects the performance of these devices, as well as reducing the useful life of the devices due to overheating.
In addition, the fact that they attack Google Chrome and introduce a malicious extension in this browser is no accident. It is the most used in the different platforms. They have a large number of users there to infect.
Victims generally receive a file called video_xxxx.zip (where xxxx is a four-digit number) that tries to pass itself off as a video file. The file hides an .EXE file and the careless users who run this file will be infected with DigiMine.
A South Korean security researcher named c0nstant and experts at Trend Micro says that the server currently sends victims a Monero miner and a Chrome extension. DigiMiner also adds an automatic start mechanism based on the registry and then installs the Monero miner and the Chrome extension it just received.
Normally, Chrome extensions can only be loaded from the Chrome Web Store, the official website, but in this case, the attackers are installing the malicious extension using an ingenious trick that uses the parameters of the command line of the Chrome application.
The function of the extension is to access the Facebook Messenger profile of the user and send private messages to all contacts of the victim. This message contains a similar video_xxxx.zip.
The self-propagation mechanism used by this Chrome extension only works if Chrome automatically starts the user session on their Facebook accounts. If the user does not have Facebook credentials saved in Chrome, the extension will not work, since they will not be able to reach the Facebook Messenger interface to send their spam messages.
Researchers have discovered that attackers use EXE files. This means that only Windows users are currently targeted, but not Linux or Mac users. Apparently, the campaign was first addressed to users in South Korea but has since spread to other countries such as Vietnam, Azerbaijan, Ukraine, Philippines, Thailand and Venezuela.
So, what do you think about this new malware? Simply share your views and thoughts in the comment section below.