Digmine malware

Users across several countries are being targeted in a campaign that delivers a new strain of malware named Digmine that installs a Monero cryptocurrency miner and a malicious Chrome extension which helps it propagate to new victims.

The malware spreads via Facebook Messenger, which is Facebook's official instant messaging platform.

Digmine spread via Faceboom DMs

Victims usually receive a file named video_xxxx.zip (where xxxx is a four-digit number) that tries to pass as video file. The archive hides an EXE file. Users careless enough the run the file will infect themselves with Digmine.

Under the hood, Digminer is written in AutoIt and has little features except to contact a remote command-and-control (C&C) server for instructions.

A South Korean security researcher named c0nstant and experts from Trend Micro say that currently, the C&C server sends back to victims a Monero miner and a Chrome extension.

Digminer also adds a registry-based autostart mechanism, and then installs the Monero miner and the Chrome extension it just received.

Normally, Chrome extensions can only be loaded from the official Chrome Web Store, but in this case, the attackers are installing the malicious extension via a clever trick that uses Chrome application command-line parameters.

Chrome extension used as self-propagation system

The extension's role is to access the user's Facebook Messenger profile and send private messages to all the victim's contacts containing a similar video_xxxx.zip.

The self-propagation mechanism used by this Chrome extension only works if Chrome auto-logs-in users into their Facebook accounts. If the user does not have Facebook credentials saved in Chrome, the extension won't work, as it won't be able to reach the Facebook Messenger interface to send its spam messages.

Researchers have spotted attackers dropping EXE files, meaning only Windows users are currently targeted, but not Linux or Mac users. The campaign appears to have first targeted South Korean users, but has since spread to Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela.

Facebook intervened and stifled current campaign

Trend Micro said they reached out to Facebook. The social network removed the malicious links from people's Messenger conversations, but the reality is that the Digmine crew can easily change the current distribution links and start a campaign anew.

"We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger," a Facebook spokesperson said. "If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help".