Earlier this month, the security researchers at the firm TrendMicro spotted a new campaign related to FacexWorm that first surfaced last year. It targets Facebook users by sending them spam links in Facebook Messenger and leads them into installing a codec Chrome extension (hiding FacexWorm) through a YouTube-themed webpage.
The extension comes with a host of capabilities. TrendMicro found that the extension can extract usernames and passwords from login forms and send them to the attackers’ C&C server.
This behavior was seen when the user visited sites like Google, CoinHive, MyMonero. With the help of the payload received from the C&C server, it also sends malicious links to the friends of the affected Facebook user, similar to the cryptojacking bot Digimine.
It tries to lure users into cryptocurrency scams by automatically redirecting them towards fishy URLs. This happens when the user visits one of the 52 websites the extension recognizes as cryptocurrency trading platforms or if the victim uses the keywords such as “blockchain,” eth-,” etc. in the URL.
Further, when visiting certain targeted sites, the extension redirects users to pages with attackers-specified referral links of the same website.
The malware is armed with persistence mechanisms in case the victim notices something unusual and tries to uninstall the extension. It can detect when a user is opening the Chrome’s extensions management page and closes the tab automatically.
While it may seem to be a horror story, it could be a topic worth a good laugh. FacexWorm has managed to get hold of just one Bitcoin transaction worth $2.49, according to the researchers who checked the attacker’s wallet. Also, the number of affected users is quite less.
The security researchers said that many of such Chrome extensions were kicked out of the Chrome Store before they alerted Google. But the attacker keeps trying to upload FacexWorm extension as they’re punctually removed from the Store.
Facebook was also informed about the malicious links which the company has blocked on their social network. The researchers note that Facebook Messenger has built-in functionality to detect and remove malicious links.
In most cases, the socially engineered links are removed before the user clicks them. Still, it’s advised that users should know what they’re clicking and sharing with their friends on the internet.