Nigelthorn malware steals Facebook credentials, mines for cryptocurrency

The malware is spreading across Facebook in order to steal account details and install cryptocurrency mining scripts on victim machines.

A new malware campaign has been uncovered on Facebook which not only steals account credentials but also installs scripts for covert cryptocurrency mining.

Cybersecurity firm Radware said in a blog post on Thursday that Nigelthorn is a new campaign which focuses on the Facebook social network.

The malware is so called due to the abuse of a legitimate Google Chrome extension called "Nigelify," which replaces images displayed on a web page with pictures of Nigel Thornberry, a cartoon character from the television show The Wild Thornberrys.

Nigelthorn was discovered in May this year and has infected over 100,000 Facebook users in over 100 countries to date.

According to Radware researchers, the Nigelthorn campaign is propagating across the social network through social engineering and private messages and aims to dupe users into downloading malware for the purpose of account hijacking, cryptojacking, and click fraud.

Potential victims will see a message from a connection in their network which tags them in a post or will receive private messages which alternatively contain a malicious link or picture.

If a victim clicks through, the malicious link redirects victims to a fake YouTube page which requests that users install a Google Chrome extension in order to play video content.

screen-shot-2018-05-11-at-09-29-10.jpg
Radware

In order to bypass Google's validation checks, the threat actor responsible creates copies of legitimate extensions and inject short, obfuscated, malicious scripts within them.

Once a user accepts the "Add Extension" request, a malicious extension is installed and the victim's system is added to a botnet.

These malicious extensions also redirect the victim to Facebook in order to generate a session token and hijack their online session in order to slurp up their Facebook account credentials and send them to command-and-control (C&C) server.

This access also permits the malware to send messages in their stead and propagate further.

Nigelthorn is also capable of stealing Instagram cookies if they are found.

Once the malicious extension is installed on the Google Chrome browser, malicious JavaScript comes into play. The script is downloaded from the C&C server and further installs a cryptomining tool.

This tool forces the victim's machine to covertly mine for cryptocurrencies, of which the proceeds are sent to mining pools controlled by the attacker.

Radware says that in the last few days, Monero, Bytecoin, and Electroneum are the mining targets and the attackers have made roughly $1,000.

Nigelthorn employs a number of techniques in order to retain persistency on the victim's machine. If a victim tries to open the extensions tab, the malware automatically closes it. The malware also blocks users from downloading Facebook and Chrome cleaner tools, deleting Facebook posts, and making comments.

While malicious copies of Nigelify are responsible for the majority of infections, the researchers have also discovered other legitimate extensions which have been abused including PwnerLike and iHabno.

Four other extensions were detected by Google's security systems and were removed in less than 24 hours.

The majority of infections have taken place in the Philippines, Venezuela, and Ecuador.

See also: SynAck ransomware circumvents antivirus software through Doppelgänging technique

"The malware depends on Chrome and runs on both Windows and Linux," the researchers say. "It is important to emphasize that the campaign focuses on Chrome browsers and Radware believes that users that do not use Chrome are not at risk."

A Google spokesperson told Threatpost that "we removed the malicious extensions from Chrome Web Store and the browsers of the small percentage of affected users within hours of being alerted."

Previous and related coverage