FacexWorm infection chain

Facebook, Chrome, and cryptocurrency users should be on the lookout for a new malware strain named FacexWorm that infects victims for the purpose of stealing passwords, stealing cryptocurrency funds, running cryptojacking scripts, and spamming Facebook users.

This new strain was spotted in late April by Trend Micro researchers and appears to be related to two other Facebook Messenger spam campaigns, one that took place last August, and another one from December 2017, the latter spreading the Digmine malware.

Researchers say FacexWorm's modus operandi is similar to the previous two campaigns, but with the addition of new techniques aimed at cryptocurrency users.

How FacexWorm spreads and infects users

The infection chain has remained the same and usually starts with users receiving link spam via Facebook Messenger.

Clicking the link leads users to a web page mimicking YouTube, which tries to trick the user into installing a YouTube-themed Chrome extension.

FacexWorm spam

Trend Micro says it analyzed this extension and found numerous malicious functions. For starters, the rogue extension adds code to users' Chrome browsers to steal login credentials from login forms.

This behavior isn't active on all sites, but only when users are accessing Google, Coinhive, or MyMonero web accounts. Collected credentials are sent to the FacexWorm gang's servers.

FacexWorm redirects users to scam pages

Second, the rogue FacexWorm extension automatically redirects users to a web page pushing a cryptocurrency scam, asking users to send over a small Ether sum to verify their account.

The redirection takes place only when users try to access cryptocurrency-related sites. The extension comes with a list of 52 websites on which the redirection becomes active. In addition, it will also show up on sites whose URLs also include terms such as "eth," "ethereum," or "blockchain."

FacexWorm scam site

Third, the extension also inserts a cryptojacking mining script, loading an instance of the Coinhive in-browser miner, which mines Monero for the FacexWorm gang.

FacexWorm can also steal cryptocurrency

Fourth, the rogue extension also switches recipient information for cryptocurrency transactions on trading platforms such as Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and Blockchain.info.

Trend Micro says FacexWorm can replace details for Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR) transactions, switching the recipient's address with one owned by the FacexWorm malware creators.

According to Trend Micro, crooks didn't manage to make a profit out of this scheme, as researchers caught and reported the extension early on, and the cryptocurrency addresses associated with this campaign only recorded one transaction worth a meager $2.49.

Crooks also tried to make money via referral URLs

Last but not least, when users try to access certain sites, the FacexWorm rogue extension also redirects users to referral URLs, which is another way in which the malware authors are earning money via their infected hosts.

The referral URL redirection has been spotted for sites such as Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, and HashFlare.

Trend Micro said it had an integral role in shutting down this campaign as soon as it got started, reporting it to both Google and Facebook. The Chrome Web Store staff intervened by removing the extension, while Facebook banned domains associated with the spam messages.

Image credits: Trend Micro

Related Articles:

CoinMiners Use New Tricks to Impersonate Adobe Flash Installers

Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads

Ad Clicker Hiding as Google Photos App Found in Microsoft Store

Facebook States 30 Million People Affected by Last Month's "View As" Bug

Facebook Vulnerability Affecting 50 Million Users Allowed Account Takeover