Beware of FacexWorm: Encryption Mining Malware.

Social networks, like Facebook, are generally used by hackers to distribute malware through all kinds of scams due to the scope of the publications in them. In many cases they invite you to watch a video or read an interesting news and, when entering that link, you fall into the trap created by hackers to distribute malware. This is how it infects FacexWorm malware.

First exposed in August 2017, the malware initially used Facebook Messenger to send malicious links that, when clicked, provided the attacker with access to users’ Facebook accounts and at the same time infected their operating systems. FacexWorm resurfaced in early April of this year.

In this way, Cybersecurity company Trend Micro has indicated that Cyber Safety Solutions identified a malicious extension of Chrome called FacexWorm, which sends links to all the people in the list of victims. In turn, it warns that the capabilities of the malicious FacexWorm extension, “were made to steal user credentials for Google, MyMonero and Coinhive, it also has the ability to hijack cryptocurrency transactions in a variety of important exchanges, including Poloniex, HitBTC, Bitfinex, Ethfinex, Binance in addition to the Blockchain cryptographic portfolio (formerly”

So, this malware, promotes a scam that tricks users to send ether to the wallet of the attacker and exhausts the processing power of a computer to boost the clandestine extraction of cryptocurrencies.

Trend Micro warns that FacexWorm, “uses a mixture of techniques to target the cryptocurrency trading platforms accessed from an affected browser and spreads through Facebook Messenger”, at the same time, said that “discovered a transaction Bitcoin affected, but has not identified the value of the loot obtained from cryptography. ” It seems that there is no possibility of recovering the money once the transaction is completed. However, luckily, the company has so far found only one Bitcoin transaction compromised by the malware.

In the same sense, FacexWorm does not inject the usual Coinhive Monero mining script. Instead, it uses an obfuscated version of the code, which infects all websites visited by the victim. To distribute this threat, hackers distribute a series of publications on the promoted social network, to reach a greater variety of users, as well as links through Messenger, which leads to a fake website that mimics the appearance of YouTube and asks Install an extension in Google Chrome.

When the victim downloads and installs this extension, it automatically starts downloading a series of modules and components used to perform all their tasks directly running from the browser.

For its part, Chrome banned the cryptocurrency mining extensions from its web store in early April and eliminated the extension, leaving hackers with almost nothing, since they apparently only managed to infect a small number of computers.

All this malware is capable of doing in infected browsers is:

  • Steal an OAuth Facebook token to be distributed using the victim’s Facebook account.
  • It is done with Google, MyMonero and Coinhive credentials when the user enters the login website.
  • Injects mining cryptocurrency scripts on websites.
  • Suppress the addresses of the purses when making payments with cryptocurrencies.
  • Detects all searches related to cryptocurrency purses and redirects them to fake websites from which to steal credentials.
  • The extension closes when it detects that the user opens the extension manager of Google Chrome to not be detected.
  • Generates referrals for the main cryptocurrency exchanges.

Trend Micro security experts have shown that this malware has been able to supplant a payment with Bitcoin, a payment valued at $ 2.29. However, it is believed that the money that can be earned by hackers with mining functions is infinitely higher.

In this regard, Trend Micro advised users to “think before sharing, be more prudent with unsolicited or suspicious messages and allow a more stringent privacy setting for their social media accounts.” Therefore, you need to be careful when clicking on links sent by people you do not know and about the Chrome extension requests that appear in the browser.

In turn, avoid visiting links received through the chat until you are completely sure that it is a trusted link and also avoid accessing all these “clicbait” news that are passed off as viral and use tricks to get them to enter they. Google is removing all extensions reported by Trend Micro used by hackers in these malicious campaigns, however, the pirates are uploading these extensions again and again, so the threat is currently active. In addition, hackers are focusing their efforts in several countries, such as Germany, Tunisia, Japan, Taiwan, Korea and Spain.

If you have installed the extension by mistake, although removing it from the browser should be safe again, it is much better to make a complete deletion of Google Chrome, with our full profile folder, and reinstall the browser completely, preventing one of the modules that this extension downloads, you can reinstall it after deleting it.


Disclaimer: This press release is for informational purposes information does not constitute investment advice or an offer to invest. The views expressed in this article are those of the author and do not necessarily represent the views of infocoin, and should not be attributed to, Infocoin.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *