FacexWorm malware resurfaces, spreads via Facebook Messenger

Security firm Trend Micro’s researchers have identified a cryptocurrency hijacking Google Chrome extension similar to Digmine at the end of April 2018 that can hijack Bitcoin transactions before getting detected. The extension utilizes an already discovered malware called FacexWorm.

The malware was first spotted in August last year on Facebook Messenger when it sent out fake messages in an attempt to steal passwords and other sensitive information from users on the platform.

Since the time FacexWorm was detected, security experts were keeping an eye on its activities and in April 2018 they detected that its activity has substantially increased. The main target of FacexWorm even this time around is Facebook users across the globe.
FacexWorm takes advantage of the Facebook virus to spread all over the world. Hacked Facebook accounts send social engineered spam links via Facebook Messenger and redirect the recipients to a rogue YouTube-themed website that is professionally designed, offering Chrome extension infected with FacexWorm JavaScript code. The targeted user is prompted to install the codec extension from where it gets installed on their systems. A Facebook share link enables the malware to reach other people in your friend list as well, and possibly infect their systems as well.

If FacexWorm identifies that the browser isn’t Chrome, it redirects the user to a harmless advertisement.

The malware is capable of stealing passwords, cryptocurrency can even perform crypto jacking, injecting malicious mining codes into preferred websites as well as hijack transactions and web wallets.

Interestingly enough, the blog post states, FacexWorm malware specifically targets cryptocurrency trading portals by searching for keywords such as 'blockchain' and 'ethereum' present in the URL. Once detected, it will apparently prompt the user to verify wallet address payment by sending a token amount of Ether. While there seems to be no possibility of getting the money back, researchers say only one Bitcoin transaction has been compromised in the ordeal yet.