Experts from the Trend Micro Company recorded a new activity during which malicious actors have been distributing the Monero cryptocurrency miner called Digmine. They have been spreading it virally through the instant messaging application Facebook Messenger. The campaign is directed against users from such countries as Ukraine, Azerbaijan, Vietnam, South Korea, the Philippines, Thailand, and Venezuela.
“We found a new cryptocurrency-mining bot spreading through Facebook Messenger, which we first observed in South Korea. We named this Digmine based on the moniker it was referred to in a report of recent related incidents in South Korea,” Trend Micro informs.
Our top trading bots
Vicious bot
The malware is disguised as a video file named “video_xxxx.zip”, where xxxx is an arbitrary set of digits. Last week, lots of users were attracted to the fact that such files came to them in personal messages. Inside the archive, there was a malicious Digmine.
According to experts, Digmine only affects the desktop version of Facebook Messenger for the Chrome browser. If the file is opened in the mobile version of the messenger, the virus does not function.
“A known modus operandi of cryptocurrency-mining botnets, and particularly for Digmine (which mines Monero), is to stay in the victim’s system for as long as possible. It also wants to infect as many machines as possible, as this translates to an increased hashrate and potentially more cybercriminal income,” stated the company.
Infection Circuit
Getting on the computer, Digmine reaches out to the server from which it loads and installs the cryptocurrency miner and extension for Chrome. Then it activates the autorun. While the miner is engaged in the production of cryptocurrency, the extension sends messages on behalf of the victim with the virus.
The method works only if the browser retains credentials for authorization in the Facebook account. Otherwise, the extension will not be able to access the messenger interface and send out spam.
“If the user has their Facebook account automatically logged in by default, the browser extension can interact with their account. It does so by downloading additional code from the C&C server. Digmine’s interaction with Facebook could get more functions in the future since it’s possible to add more code,” explained the company, which conducted a bot-related investigation.
Extensions for Chrome can only be downloaded from the official Chrome Web Store directory, but the attackers bypassed this condition. To install a malicious extension, they use a command-line download.
By now, the campaign has affected only users of Windows. Trend Micro informed Facebook about the problem, and the company has already deleted the malicious links in the messages, but experts say this has not solved the problem completely: attackers can change the method of spreading the malware and launch a new campaign.
How to Prevent it?
Cryptocurrency mining is growing in popularity; hence attackers are getting more attracted by the mining botnet business. The more victims are attacked, the bigger the profits – this is a traditional dogma of all the cybercriminal blueprints. It is also not unexpected that they are using popular social media platforms for distributing their malware.
If you want to prevent this type of cyber threats, merely follow golden practices on protecting social media accounts. First of all, you should think twice before you share anything that might seem suspicious. You should also be cautious when downloading any files even if you have received them from your friends. Secondly, be aware of unreclaimed messages. And thirdly, activate your account’s privacy settings.
In its official statement, Facebook claimed that “we maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help.”
Images Source: blog.trendmicro.com