Si Cyber Intel: FacexWorm – Aggressive Malware Spreading Through Facebook Messenger
A malicious Google Chrome extension named FacexWorm, has been aggressively targeting cryptocurrency trading platforms accessed via a Chrome browser. The malware self-propagates through socially engineered links sent via popular social media platform, Facebook Messenger, to friends and family of affected Facebook accounts.
FacexWorm was first discovered by researchers back in August 2017 (although not much was known about the malware back then) and by April 2018 researchers from Trend Micro noticed a spike in its activities and reported that FacexWorm had indeed resurfaced in Germany, Japan, Tunisia, Taiwan, Spain and South Korea.
Analysis carried out by Trend Micro identified that the malware has morphed into a hybrid that not only retains its original features of listing and sending socially engineered web links to contacts of infected Facebook accounts, it is now able to steal victims’ account information and credentials of websites hijacked by this malicious extension.
FacexWorm has the capability to inject miners onto a web page, redirect possible victims to cryptocurrency scams and to the attacker’s referral link for cryptocurrency-related programs. It also has the ability to hijack transactions made in trading platforms and a victim's web wallet by changing the victim's address to that of the attacker.
Although it is currently unknown how much has been earned by this web mining, there have been reports of Bitcoin transactions compromised by FacexWorm.
Victims targeted by FacexWorm are automatically taken to a fake looking YouTube page that requests the victim to agree and install the extension before having access to a video. Once successfully installed, FacexWorm downloads additional malicious codes from a command-and-control server and opens Facebook. FacexWorm detects that Facebook is open and requests OAuth token from Facebook which allows the malware to access the victim’s lists of friends and family and subsequently continues to spread the fake YouTube links.
For information about Si Cyber’s malware detection and response capabilities, please contact firstname.lastname@example.org