Facebook messenger malware mines Monero

Facebook Messenger Malware Mines Monero

Reports are emerging today of malicious software that targets Facebook Messenger to mine cryptocurrency. As Bitcoin and altcoins become more popular and increase in value, hackers and cyber-criminals will be looking for weak links to exploit in order to gain some of it. There is no weaker link than social media which is a minefield of scams, fake news, click bait and now mining malware.

According to researchers at cyber security firm Trend Micro the malware dubbed Digmine infects the desktop version of Facebook’s instant messenger platform. The bot is designed to harness CPU power on the victim’s machine to secretly mine Monero, an altcoin based on an anonymous blockchain.

It comes veiled as a video file that will be sent from someone in the user’s friends list so as to appear genuine. At the moment it only targets the desktop version of the chat software on Google Chrome, mobile versions are not affected. Attackers will also be able to gain access to the user’s   Facebook profile and their list of friends in order to disseminate the malware further. Researchers at Trend Micro said:

“If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends. The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line.”

Once infected a crypto miner based on an open source Monero miner called XMRig is installed which will then silently start using CPU resources in the background to mine Monero and send the profits to the hackers. The bot also installs an automatic startup script which will launch the Chrome browser preloaded with a malicious extension. This is achieved via the command line as extensions are usually only downloaded from the Chrome web store.

The cyber security firm went on to state:

“The extension will read its own configuration from the C&C (command and control) server. It can instruct the extension to either proceed with logging in to Facebook or open a fake page that will play a video. The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components.”

This is not the first time mining malware has made it into the wild. An outbreak of Coinhive was used to attack Android apps back in October to mine the same altcoin. Vigilance is the key for those that are heavy Facebook users, this is only the beginning when it comes to crypto mining malware, there will be more to come.