Malware spread through Facebook downloads cryptomining code and steals credentials.
New malware spreading through Facebook infects victims' computers in order to steal their social media credentials and download cryptomining code. The malware, called Nigelthorn, is being spread through socially engineered links on Facebook. It has been active since at least March 2018 and has already infected more than 100,000 users around the world.
The attackers created copies of the legitimate extensions and injected an obfuscated malicious script that starts the malware download. This is done to bypass Google's extension validation checks. After first detecting the zero day malware threat, researchers named the malware after the main Google Chrome application it leverages: the Nigelify application. Nigelify is a legitimate Chrome app that replaces pictures with the face of cartoon character Nigel Thornberry has been responsible for a large number of infections. The hackers are also using other approved Chrome extensions like PwnerLike and iHabno. In all, seven Chrome applications have been discovered with the malware. Google's security algorithms have already blocked four of them. A Google spokesperson stated that they remomved the malicious extensions from Chrome Web Store and the browsers of the small percentage of affected users within hours of it being discovered.
The attack starts with a user clicking on a malicious link sent via Facebook. Users will log into their Facebook and see a message from one of their friends, or they'll be tagged in a post with a malicious link, and a picture. The link redirects users to a fake YouTube page and asks the user to install a Chrome extension to play the video. Once the user clicks on the Add Extension, one of the seven malicious extensions, typically Nigelify, will install the malware onto their system. The attack focuses on Chrome browsers so users that don't use Chrome are not at risk. Once executed, the JavaScript code downloads an initial configuration from the hacker's C2 with a set of requests, including a triple threat set of plugins that is composed of code for spreading itself on Facebook, cryptomining code and YouTube click fraud.
It continues to spread the malware through the user's social network. It also steals user credentials by generating the authenticated Facebook access tokens. The malware collects relevant account information to spread the malicious link to the user's network. Once the victim clicks on the link, the infection process starts over again and redirects them to a YouTube like webpage that requires a plugin installation to view the video. Browser mining tools written in Javascript id downloaded as a plug in to start mining Monero, Bytecoin or Electroneum. It is estimated that $1,000 was mined over six days, most from Monero.
The malware contains many features to persist as well, if a user tries to open the extensions tab to remove the extension, the malware closes it and prevents removal. It also downloads URI Regex from the C2 and blocks users that try to access those patterns.
As this malware spreads, the hackers will continue to try to identify new ways to use the stolen assets. Hackers continuously create new malware and mutations to bypass security controls. Individuals and organizations should update their current password and only download applications from trusted sources to protect themselves from such attacks. Facebook malware campaigns have been showing up on the social media platform, including FacexWorm, a malware in Facebook Messenger that installs on users' systems and steals their passwords. We will only see these types of social media spread malware continue in the future.