Malware analysis

Crooks Exploit Facebook to Spread Crypto-miner Malware

Pierluigi Paganini
May 11, 2018 by
Pierluigi Paganini

Social networks are a privileged attack vector that could be used by cybercriminals to spread malware to a wide audience.

In the last month's security experts discovered many strains of malware that were delivered through social networks, but recently with a growing interest in cryptocurrencies, crooks started using a platform like Facebook to spread cryptocurrency miners.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.


A few weeks ago, security experts at Trend Micro have discovered a new threat spreading through Facebook messenger.

Security researchers spotted a malicious Chrome extension, dubbed FacexWorm, which is spreading through Facebook Messenger and targeting users of cryptocurrency trading platforms to steal their accounts' credentials and run cryptocurrency mining scripts.

"Our Cyber Safety Solutions team identified a malicious Chrome extension we named FacexWorm, which uses a miscellany of techniques to target cryptocurrency trading platforms accessed on an affected browser and propagates via Facebook Messenger," reads the report published by Trend Micro.

The FacexWorm threat was first detected in late April and appears to be linked to two other Facebook Messenger spam campaigns that we will analyze later; one occurred in August 2017 and a second one that was launched in December 2017 to spread the Digmine cryptocurrency miner.

The malware experts observed a spike in FacexWorm activity, numerous infections were detected in several countries, including GermanyTunisiaJapanTaiwanSouth Korea, and Spain.

FacexWorm implements several features, including stealing account credentials from websites, like Google and cryptocurrency sites, redirecting victims to rogue cryptocurrency sites, injecting cryptocurrency miners, and redirecting victims to the attacker's referral link for cryptocurrency-related referral programs.

The following image shows the FacexWorm's infection chain; all starts with an apparently harmful link to a video that is shared via Facebook Messenger

Figure 1 - FacexWorm attack chain (Trend Micro)

FacexWorm propagates through links sent over Facebook Messenger to friends of an affected Facebook account. The link is used by attackers to redirect users to fake versions of popular video streaming websites, including YouTube. The attacker uses a social engineering trick to start the infection; the user is encouraged to download a malicious Chrome extension as a codec extension to continue playing the video and to grant all extended permissions to complete the installation.

Once the malicious code receives full permissions, it can gain full control for any websites the user visits.

Currently, the malicious extension affects only Chrome users; experts noticed that if the malicious code detects a different browser, it redirects the user to an innocuous-looking advertisement.

"FacexWorm is delivered through socially engineered links sent to Facebook Messenger. The links redirect to a fake YouTube page that will ask unwitting users to agree and install a codec extension (FacexWorm) in order to play the video on the page. It will then request privilege to access and change data on the opened website," continues the report.

Figure 2 - Malicious Link shared via Facebook Messenger

Once FacexWorm Chrome extension is installed on the victim's PC, it downloads more payloads from the command and control server to perform other malicious activities. Every time the victim opens a new page in the browser, the malicious extension will query the command and control server to receive JavaScript codes to perform malicious activities.

"FacexWorm is a clone of a normal Chrome extension but injected with short code containing its main routine. It downloads additional JavaScript code from the C&C server when the browser is opened," continues the report.

"Every time a victim opens a new webpage, FacexWorm will query its C&C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviors on that webpage."

Trend Micro detailed the malicious behaviors of the malware that include:

  • Steal the user's account credentials for Google, MyMonero, and Coinhive.
  • Push a cryptocurrency scam.
  • Conduct malicious web cryptocurrency mining.
  • Hijack cryptocurrency-related transactions.
  • Earn from cryptocurrency-related referral programs.

Digmine Cryptocurrency Miner

TrendMicro malware researchers linked the FacexWorm malware to other two Facebook Messenger spam campaigns, one of them is the Digmine cryptocurrency miner that was discovered at the end of 2017 by Trend Micro.

The Digmine mining bot was spread through Facebook Messenger too; crooks were using video file (packed in zip archive) sent by friends of the compromised account via Facebook messenger.

The first infections were observed in South Korea; the malicious code was named Digmine based on the moniker (비트코인
채굴기 bot) referred in a report of an incident that has happened in the Asian country.

Other Digmine infections were observed worldwide, most of the victims were in Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela.

Attackers targeted Google Chrome desktop users to take advantage of the spike in the price of cryptocurrencies.

Digmine is a Monero-cryptocurrency mining bot disguises as a non-embedded video file, under the name, but is actually includes an AutoIt script.

The infection starts after the victims click on file, the malicious code compromises the system and downloads its components and related configuration files from a command-and-control server.

Digmine first installs a miner (i.e., miner.exe—a modified version of an open-source Monero miner known as XMRig) that silently mines the Monero cryptocurrency in the background. The bot also installs an AutoStart mechanism and launch Chrome with a malicious extension that allows attackers to control the victims' Facebook profile and used it to spread the malware to the victim's Messenger friends list.

"Facebook Messenger works across different platforms, but Digmine only affects Facebook Messenger's desktop/web browser (Chrome) version. If the file is opened on other platforms (e.g., mobile), the malware will not work as intended," reads the analysis published by TrendMicro.

"Digmine is coded in AutoIt, and sent to would-be victims posing as a video file but is actually an AutoIt executable script. If the user's Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account's friends."

Researchers observed that since Chrome extensions can only be installed via the official Chrome Web Store, crooks launch Chrome (loaded with the malicious extension) via command line.

"The extension will read its own configuration from the C&C server. It can instruct the extension to either proceed with logging in to Facebook or open a fake page that will play a video," Trend Micro continues.

"The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware's components."

Figure 3 - Digmine Attack Chain (Trend Micro)

Figure 4 - Digmine Message (Trend Micro)

The technique does not work when users open the malicious video file through the Messenger app on their mobile devices.

"The abuse of Facebook is limited to propagation for now, but it wouldn't be implausible for attackers to hijack the Facebook account itself down the line. This functionality's code is pushed from the command-and-control (C&C) server, which means it can be updated," continues the analysis.

Facebook had removed most of the malicious files from the social networking site.

A Common Origin

Both Digmine and the FacexWorm campaigns appear to be linked to another malware campaign discovered by Kaspersky in August 2017.

At the time, the researcher David Jacoby at Kaspersky Lab discovered a new advanced strain of malware that was using Facebook Messenger as propagation mechanism.

Jacoby discovered the malicious code after a friend sent him a link to a video file in Messenger, the malicious message stated "< your friend name > Video" followed by a link, as shown.

Figure 5 - Malicious message

Experts noticed that when the victim clicks on the fake video, the malicious code redirects him to a set of websites which gather information on his system (i.e., Browser, OS) to choose the website to which he must be redirected.

Users are redirected following a domain chain, many websites on different domains used to redirect the victim depending on some characteristics (i.e., System info, Language, geolocation, browser information, operating system, installed plugins and cookies).

The malicious link referenced a Google doc that was containing a picture from the sender's Facebook page and a dynamic landing page created on the fly which appeared as a playable movie.

Figure 6 - Fake video used as a bait

"What I noticed during my research was that when changing the User-Agent header (browser information) the malware redirects you to different landing pages. For example, when using Firefox I was redirected to a website displaying a fake Flash Update notice, and then offered a Windows executable. The executable is flagged as adware," he said.

Threat actors leveraged compromised accounts, hijacked browsers, or clickjacking techniques to spread the malicious link.

"The initial spreading mechanism seems to be Facebook Messenger, but how it actually spreads via Messenger is still unknown. It may be from stolen credentials, hijacked browsers or clickjacking. At the moment we are not sure because this research is still ongoing," reads the analysis published by Kaspersky Lab.

The malware is multi-platform, it works on both Windows and MacOS systems, and it is independent of the browser used by the victims.

Google Chrome users, for example, are redirected to a website that appears as YouTube that displays a fake error message popup, tricking victims into downloading a malicious Chrome extension from the Google Web Store to view the video correctly.

The fake extension is a downloader that delivers a file to the victim's computer.

Figure 7 - Social engineering trick

Experts observed similar tricks for Apple Mac OS X Safari users and Linux users.

"It has been a while since I saw these adware campaigns using Facebook, and it's pretty unique that it also uses Google Docs, with customized landing pages. As far as I can see no actual malware (Trojans, exploits) are being downloaded but the people behind this are most likely making a lot of money in ads and getting access to a lot of Facebook accounts," concluded Kaspersky.


The exploitation of social media platform as an attack vector is not a novelty, the cases analyzed in this post shares the same origin and the attack techniques are quite similar.

Users must adopt good security hygiene, they must be vigilant on unsolicited or suspicious messages, even when friends send them.

On the other end, social media platforms are already implementing features to identify fraudulent links and rapidly remove them.


Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.