Alert! Facebook Messenger Now Used For Spreading Cryptocurrency Mining Virus

On 21st December, Security researchers at TrendMicro released a blog post explaining about a cryptocurrency mining virus dubbed as “Digmine“. The virus is spreading rapidly because it uses world’s most popular platform “Facebook Messenger” as the medium to spread.

Digmine is a cryptocurrency mining virus targetting the users of Facebook Messenger’s Desktop/Web versions. So, if you are using a mobile version then you are safe as the virus won’t be able to work on your phone.

The virus is coded in AutoIt and spread to the potential victims as a video file, which actually is an executable script.

If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends.

Said the Security researchers at TrendMicro, further in their blog post researchers explained about how exactly digmine uses the victim’s resources for mining cryptocurrency.

The file looks something like this:

cryptocurrencyminingvirus
credits: trendmicro

 

Working of Digmine

 

The video file which contains Digmine is just a downloader according to the researchers. This downloader once clicked, connects to its Command & Control (C&C) server to download the required config files and components to run a cryptocurrency miner and spread the virus ahead.

Digmine Downloads and runs the following files in the infected computers.

 

digminefiles
credits: trendmicro

 

The Virus at first will install a cryptocurrency miner(miner.exe). Then this miner will use the resources of the victims’ computer to mine cryptocurrency. Apart from running a cryptocurrency miner it also installs a malicious Chrome extension. This malicious chrome extension is then used to spread the virus using the victims’ Facebook profile.

 

” It will search and launch Chrome then load a malicious browser extension that it retrieves from the C&C server. If Chrome is already running, the malware will terminate and relaunch Chrome to ensure the extension is loaded.” explained the researchers.

 

Digmine infection chain

 

cryptocurrencyminingvirus
credits: trendmicro

Apart from all the above operations, it does one more operation which makes the video file look genuine, so that victim won’t be able to get that this file is malicious. This is also done using the extension installed.

The extension gets is own config from the C&C server and will either proceed to log into the victims’ facebook profile or will launch another tab with a fake page which will play a video, and all this can be controlled using C&C server.

So far this virus was found infecting countries like Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela.

Mobile Messenger users are still safe, but point to note is that Digmine is controlled using a C&C server, so it is easy to edit the config files and add new features to the script.

TrendMicro has already reported the issue to Facebook, and Facebook removed the links and actively responded with an official statement stating “We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help.”

Users are requested not to click on random files and always be suspicious while on the internet.