Info Stealing, Cryptocurrency Mining Malware Spreading Through Facebook

FacexWorm malware has reemerged on the Facebook Messenger app, appropriating information and cryptocurrency from unsuspecting users. The malware directs consumers to fake links urging them to install bogus Chrome extensions.

That is a warning from Clifton, N.J.- based cybersecurity firm Comodo. Last year, the FacexWorm malware inundated Facebook Messenger. It sent out false messages to steal user passwords and other sensitive data such as financial information.

FacexWorm is capable of stealing passwords, and cryptocurrencies. It can even perform crypto jacking, injecting malicious mining codes into preferred websites as well as hijack transactions and web wallets.

“In the latest round of re-emergence, FacexWorm has gained new capabilities that include launching cryptocurrency scams, mining infected computers for cryptocurrencies, and stealing user account credentials from websites,” Comodo revealed.

The FacexWorm malware sends out socially engineered phony YouTube pages to trusting Facebook Messenger users, advising them to install a codec extension. FacexWorm malware also targets some users who search with the keywords such as ‘blockchain’ and ‘ethereum’. Once the malware detects the cryptocurrency search by the user, FacexWorm prompts the user to verify the wallet address payment by sending a token amount. Comodo noted the malware has only compromised one bitcoin transaction so far even though there seems to be no way of getting the money back.

What does FacexWorm Malware Do?

• According to Comodo, once entered, FacexWorm requests OAuth access (an open standard for access delegation) token for the Facebook account of the prey. It then automatically obtains the victim’s friends list and sends the malicious links to them as well.
• If the FacexWorm recognizes the victim opened the target website’s login page, it then steals the user’s account credentials for Google, and MyMonero accounts.
• The malware also injects cryptocurrency miner codes to websites opened by the victim, which draws CPU power from the victim’s device. It can even hijack the user’s cryptocurrency-related transactions by locating the address keyed in and replacing it with an address provided by the hacker.
• If the victim tries to remove the FacexWorm via chrome extension management, it quickly closes the opened tab.
• Comodo also pointed out the hacker also gets a referral incentive every time a victim registers an account on DigitalOcean, FreeBitco.in, FreeDoge.co.in, or HashFlare.

“The growing popularity of cryptocurrency mining is attracting more and more hackers to target users. Though Google and Facebook have several security measures in place, hackers are trying hard to spread malware like FacexWorm extensions,” Comodo said in a blog. Therefore, users should not open suspicious links as they may transport possible malware.