Watch out for video file (packed in zip archive) sent by your friends via Facebook messenger, according to the researchers from security firm Trend Micro crooks are using this technique to spread a new cryptocurrency mining bot dubbed Digmine.
The bot was first observed in South Korea, experts named it Digmine based on the moniker (비트코인 채굴기 bot) referred to in a report of recent related incidents in South Korea. Digmine infections were observed in other countries such as Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela.
Attackers are targeting Google Chrome desktop users to take advantage of the recent spike in the price of cryptocurrencies.
Digmine is a Monero-cryptocurrency mining bot disguises as a non-embedded video file, under the name video_xxxx.zip, but is actually includes an AutoIt script.
The infection starts after the victims click on the file, the malicious code compromise the system and downloads its components and related configuration files from a command-and-control server.
Digmine first installs a miner (i.e. miner.exe—a modified version of an open-source Monero miner known as XMRig) that silently mines the Monero cryptocurrency in the background. The bot also installs an autostart mechanism and launch Chrome with a malicious extension that allows attackers to control the victims’ Facebook profile and used it to spread the malware to the victim’s Messenger friends list.
“Facebook Messenger works across different platforms, but Digmine only affects Facebook Messenger’s desktop/web browser (Chrome) version. If the file is opened on other platforms (e.g., mobile), the malware will not work as intended.” reads the analysis published by TrendMicro.
“Digmine is coded in AutoIt, and sent to would-be victims posing as a video file but is actually an AutoIt executable script. If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends. “
Researchers observed that since Chrome extensions can only be installed via official Chrome Web Store, crooks launch Chrome (loaded with the malicious extension) via command line.
“The extension will read its own configuration from the C&C server. It can instruct the extension to either proceed with logging in to Facebook or open a fake page that will play a video” Trend Micro continues.
“The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components.”
The technique doesn’t work when users open the malicious video file through the Messenger app on their mobile devices.
“The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line. This functionality’s code is pushed from the command-and-control (C&C) server, which means it can be updated.” continues the analysis.
Facebook had taken down most of the malware files from the social networking site.
Further info, including the IoCs are included in the report.
(Security Affairs – Facebook, Digmine miner)