Many people can be tricked by malicious links. For this reason, any links that are sent through emails, websites and messaging apps should be treated with caution.
With cryptocurrencies becoming more popular due to their increasing price, people just want to get more of them. But since mining cryptocurrrencies involves a lot of computing power and electricity, malicious miners mine through either hacking, or drive-by cryptomining.
There are more and more websites that surreptitiously mine the cryptocurrency Monero using visitors’ CPUs. But when that is not enough, miners are also spreading their mining malware through Facebook Messenger.
Tokyo-headquartered cybersecurity firm Trend Micro was the first that discovered the bot. Dubbed the 'Digmine', it was initially found in South Korea.
But since then, it has spread to Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela. With the ease of people sharing links on Messenger, Digmine could reach other countries very quickly.
Here, the malicious miners send links to videos with alluring names, like 'video_xxxx.zip’. Created as an AutoIt executable script, the malware can spread from one person to another via Facebook Messenger contacts. Opening the link will load Google's Chrome web browser (if present) along with a malicious browser extension.
Related: Popular Streaming Websites Are Secretly Mining Cryptocurrency While People Watch Free Movies
Once the malware infects a system, Chrome will then install a modified version of XMRig (a Monero mining tool). While Chrome extensions can only be loaded and hosted from the Chrome Web Store, the attackers have apparently able to bypass this by launching Chrome via command line.
With the extension running, the browser can then mine the cryptocurrency in the background using the victim’s CPU, sending all profits back to the hackers.
What makes things worse, the Chrome extension is also used to spread the malware, and perform other routines such as installing a registry autostart mechanism as well as system infection marker.
If someone has their Facebook account set to log in automatically, the fake video file link will automatically be sent to all their friends via Messenger.
"The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line," said Trend Micro. This is because the functionality’s code can be pushed from the command-and-control. This means, the code can be updated.
The goal of this cryptocurrency-mining botnet, is to stay in the victim’s system for as long as possible. It also wants to infect as many machines as possible, as this would create an increased hashrate and potentially more cybercriminal income.
At the moment of discovery, Digimine can only work through Chrome's desktop version, and opening the malicious file directly inside Facebook/Messenger app or mobile webpage won't do anything. And also, opening the file on other platforms, won't make the malware work as intended.
After acknowledging the issue, Facebook quickly took down any links that are connected to Digmine.
"We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger," Facebook said in a statement. "If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners."
Because the links can come from Messenger friends that had their CPU infected, the best way to avoid the malware is to never open suspicious links.