Warning! Cryptocurrency Miner spreading via Facebook Messenger
Cryptocurrency is a big thing for hackers and they are now constantly hacking PCs and smartphones for mining. And it seems like they are ever increasing by time. A new cryptocurrency-mining bot, dubbed as Digmine, has been discovered and is spreading through popular social media platform Facebook Messenger across the world, Tokyo-headquartered cybersecurity Trend Micro firm has warned.
First spotted in South Korea, Digmine was previously been found in Vietnam, Azerbaijan, Ukraine, the Philippines, Thailand, and Venezuela, and is likely to spread to other countries soon, where it previously remained dormant.
Facebook Messenger works on different platforms, but the Digmine malware disguised as a video file (usually with the name video-xxxx.zip) is said to be only affecting desktop versions of the app running on Google Chrome. If this zip file is opened on other platforms, the malware will not work as intended, claim researchers at Trend Micro.
Additionally, if a user’s Facebook account is set to log in automatically, Digmine hijacks Messenger to forward a copy of itself to all the account holder’s friends in his contacts list. "The use of Facebook Messenger is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line. This functionality’s code is pushed from the command-and-control (C&C) server, which means it can be updated," the researchers said.
"A known modus operandi of cryptocurrency-mining botnets and particularly for Digmine will remain dormant in the victim’s system for as long as possible. The virus wants to infect as many machines as possible, as this translates to an increased hashrate and potentially more cybercriminal income," the Trend Micro blogpost stated.
The malware can also perform other routines such as installing a registry autostart mechanisms as well as system infection markers. It can also search and launch Chrome, and then load a malicious browser extension that it retrieves the codes from the C&C server.
Moreover, if Chrome is already running, the malware will terminate and relaunch Chrome to ensure that the extension is loaded. While extensions can only be loaded and hosted from the Chrome Web Store, the attackers bypass this by launching Chrome via command line, mention the researchers.
Earlier in 2016, during a similar outbreak, a spokesperson Facebook told ZDNet that "We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners." Facebook has also shared some tips and links for users to stay secure, which can be found at facebook.com/help.
Therefore, Facebook users are advised to not click on random links they do not recognise and always be cautious while on the internet.