This password-stealing malware uses Facebook Messenger to spread further

A spike infections follows an update to the password and cryptocurrency-stealing malware.
Written by Danny Palmer, Senior Writer

A form of malware which uses fake Facebook Messenger messages to spread has suddenly surged back into life and has developed new tricks to steal passwords, steal cryptocurrency and engage in cryptojacking.

First uncovered in August last year, the malware used phishing messages over Facebook Messenger to direct victims to fake versions of websites like YouTube, at which point they are encouraged to download a malicious Chrome extension.

The malware has remained under the radar since then, at least until April when it appears to have suddenly spiked in activity, targeting Facebook users around the world.

Analysis by researchers at security company Trend Micro - which has dubbed the malware FacexWorm - said that while the malicious software is still spread via Facebook and exploits Google Chrome, many of its capabilities have been completely reworked.

New abilities include the capability to steal account credentials from selected websites, such as Google as well as cryptocurrency websites. It also pushes cryptocurrency scams of its own and mines infected systems for additional currency.

But in order to conduct any of this activity, the malware needs to be installed on the system of a victim. Victims received a link out of the blue from a Facebook contact which directs them to a fake YouTube page.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

This page asks the victim to install a codec extension to play the video. If run, this extension will install FacexWorm, which asks for permissions to access the site and change data.

This worm enables contact with the command and control server to access Facebook. This connection results in more fake YouTube links being sent to contacts to continue the spread of the malware.

Researchers note that if the link is sent to a user who isn't using Google Chrome, the link diverts to a random advert - perhaps a remnant of the original function of the malware.

FacexWorm itself is a clone of a normal Google Chrome extension, but injected with malicious code. This is delivered by downloading additional JavaScript code each time the browser is opened and whenever a new website is opened.


Fake YouTube page used to distribute malware.

Image: Trend Micro

If the malware is coded to retrieve credentials from that site, it retrieves additional Javascript in order to execute additional behaviours, which include stealing login credentials.

In addition to this, the malware targets those using cryptocurrency trading platforms by searching for keywords like 'blockchain' and 'etherium' in the URL.

If this is detected, FacexWorm sends users to a scam webpage which asks the user to send anywhere between 0.5 and 10 of the Ether cryptocurrency for 'wallet address verification' with a promise it will send more back. Obviously, if a user does this, they'll get nothing back at all - fortunately, researchers say nobody has sent money to the address.

However, the attackers also attempt to maliciously earn cryptocurrency via other means, including the use of attacker-controlled referral links which provide them with some income each time users buy currency via the link.

FacexWorm also injects the victim with a cryptocurrency miner. Researchers say the miner uses just 20 percent of the infected system's CPU, a tactic likely adopted to ensure the miner isn't discovered.

See also: Cryptocurrency-mining malware: Why it is such a menace and where it's going next

But the malware does contain a mechanism to keep itself hidden; if the extension management tab is opened, FacexWorm will immediately close it, a protection method also used by malicious extensions such as DroidClub.

While Trend Micro says malicious extensions are quickly removed from the Chrome Web Store, the attackers are quick to re-upload them. ZDNet has contacted Google, but hadn't received a response at the time of writing.

Facebook is aware of the malware and said that Messenger can stop the spread of malicious links.

"We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners," the company said in a statement.

In order to avoid becoming infected in the first place, Trend Micro warns users to: "Think before sharing, be more prudent against unsolicited or suspicious messages, and enable tighter privacy settings for your social media accounts."


Editorial standards