A malicious Chrome extension discovered by Kaspersky Labs in August 2017 which targets cryptocurrency trading platforms has resurfaced with a spike in April 2018. The malware reportedly made attempts in a number of countries including Japan and South Korea.
Malicious Chrome Extension Spreads Via Facebook Messenger to Target Cryptocurrency Trading Platforms
In August 2017, Kaspersky Labs researcher David Jacoby found an advanced form of malware which used Facebook Messenger to infect victims’ systems. It did this by displaying a fake error message in a redirected website that tricked users to download a malicious Google Chrome extension from the Google Web Store. TrendLabs has found the same malware again in April 2018 after a spike in reports in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain.
Named FacexWorm by the TrendLabs team, the malicious extension lists and sends socially engineered links to the friends of an affected Facebook account and is capable of stealing accounts and credentials of its websites of interest, mostly cryptocurrency trading platforms. FacexWorm is a clone of a normal Chrome extension but injected with shortcode containing its main routine. It redirects victims to cryptocurrency scams with malicious mining codes on the webpage and hijacks transactions by replacing the recipient address with the attacker’s in trading platforms and web wallets.
FacexWorm propagates through Facebook Messenger as it redirects to a fake YouTube page that asks users to install a codec extension in order to play the video, which then requests privileged access. The granted permission leads to a stream of downloads of additional malicious codes from its command-and-control (C&C) server and Facebook in order to further spread the malware through the account’s friend list. If users are using browsers other than Chrome’s desktop version, the malware link diverts to a random advertisement.
The malware steals the victim’s account credentials for Google, MyMonero, and Coinhive, and redirects the user to a scam webpage if the browser accesses one of the 52 cryptocurrency trading platforms it targets or if searches for cryptocurrency-related keywords. The scam asks the user to send 0.5 – 10 ether (ETH) to the attacker’s wallet address for verification purposes and promises to send back 5 – 100 ETH.
FacexWorm also attacks the user’s computer for malicious web cryptocurrency mining, as it utilizes 20 percent of CPU power for each thread and opens four threads to mining on web pages. Moreover, the victim is vulnerable to cryptocurrency transaction hijacking as the malware locates the address keyed in by the victim and replaces it with another specified by the attacker. FacexWorm also earns money through cryptocurrency-related referral programs and it has redirected users to a number of websites, including Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, and HashFlare.
Image from Shutterstock.