FacexWorm malware steals cryptocurrency & Facebook credentials

Security firm Trend Micro’s researchers have identified a malicious Chrome extension that can hijack Bitcoin transactions before getting detected. The extension utilizes an already discovered malware called FacexWorm.

The malware was firstly identified in August 2017 and it re-emerged earlier in April 2018. The attack involves propagation of infected Facebook Messenger messages while the attack is limited to Chrome at the moment, claim researchers.

If FacexWorm identifies that the browser isn’t Chrome, it redirects the user to a harmless advertisement. The malware is capable of stealing passwords, cryptocurrency and can even perform cryptojacking.

FacexWorm malware steals cryptocurrency & Facebook credentials

Last year, the malware came to the limelight when it was launched through phishing messages spread via Facebook Messenger. It lured victims to fake and infected versions of YouTube and other popular websites. Once the victim was on the fake page, a malicious Chrome extension was downloaded.

Since the time FacexWorm was detected, security experts were keeping an eye on its activities and in April 2018 they detected that its activity has substantially increased. The main target of FacexWorm even this time around is Facebook users across the globe.

According to researchers, the malware is distributed via Facebook and it exploits Google Chrome to achieve its nefarious objectives. It has, however, received tremendous overhauling over the past one year as it is now capable of stealing credentials from trusted websites like Google.

It can attack cryptocurrency websites too while launching cryptocurrency scams and mining for cryptocurrency by exploiting infected systems’ resources is quite easy for FacexWorm.  As noted by Trend Micro in its official blog post on FacexWorm:

“FacexWorm injects malicious mining codes on the webpage, redirects to the attacker’s referral link for cryptocurrency-related referral programs, and hijacks transactions in trading platforms and web wallets by replacing the recipient address with the attacker’s.”

It must be noted that to carry out any of these malicious activities, the malware needs to get installed on the targeted system. This is achieved through sending the victim a link on behalf of a Facebook contact that would redirect to a fake YouTube page.

On this page, the victim is requested to install a codec extension, which is likely to play the promised video. When this extension is executed, FacexWorm gets installed and seeks permissions to access the site for making necessary data modifications.

FacexWorm malware steals cryptocurrency & Facebook credentials

FacexWorm also establishes contact with its C&C server in order to access Facebook profiles and receives many more fake YouTube links, which are then sent to other contacts so that the malware keeps spreading. In case the link reaches a user who doesn’t use Chrome, then it gets diverted to an advertisement.

Researchers have termed FacexWorm as a ‘clone’ of a normal Chrome extension that has been injected with malicious coding; it is distributed through downloading a new JavaScript code every time the browser or a new website is opened.

“FacexWorm is a clone of a normal Chrome extension but injected with shortcode containing its main routine. It downloads additional JavaScript code from the C&C server when the browser is opened. Every time a victim opens a new webpage, FacexWorm will query its C&C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviors on that webpage” wrote researchers in the company’s blog post.

If the malware is unsuccessful in hijacking Bitcoin transactions, the Chrome extension tries to create a link with other referral scams that target DigitalOcean, Binance, FreeDoge.co.in, FreeBitco.in and HashFlare, etc. When the system is infected with FaceXWorm, the user searching for cryptocurrency-related terms in the browser’s address bar such as Ethereum, it would lead to a fake page.

FacexWorm malware steals cryptocurrency & Facebook credentials

The user is asked to send between 0.5 and 10 ether to the attacker’s wallet for verification purpose and in return, the user is promised to be sent 5-100 ether. Researchers noted that so far no one has sent Ether to the attacker’s wallet.

The malware has a distinct mechanism of evading detection. FacexWorm instantly closes itself if the extension’s management tab is clicked. This type of evasive mechanism is utilized by other malicious extensions too like DroidClub.

Despite that Google has removed the infected extensions from Chrome Web Store but attackers immediately re-upload them. Facebook is also informed about the malware but claims that its Messenger has the capability of blocking the spreading of infected links as the social network maintains various automated systems. These systems are there to prevent harmful links and files from affecting Facebook and Facebook Messenger users.

“If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners,” read the official statement from Facebook.

Still, we would like to suggest that you be careful while sharing any links and remain cautious of suspicious messages. Don’t forget to enable stricter privacy settings for all your social media accounts.

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is 'Do my best, so that I can't blame myself for anything.'