Facebook Messenger is the launching pad for a new Monero-cryptocurrency mining bot called Digmine that so far is hitting only a small sampling of nations around the world.
Trend Micro is reporting that Digmine, which is written in autolt, poses as a video file but is actually an AutoIt executable script. When it comes across a Facebook account that is set to auto log in the user, Digmine is able to co-op Messenger to send the malware to the account owner’s friend list. The fact that the miner is controlled from a command-and-control server means its authors or distributors can update it at will, potentially making it more dangerous in the future.
“The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line,” said Lenart Bermejo and Hsiao-Yu Shih.
Digmine has so far confined its activities to South Korea, Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela, but because Facebook Messenger is used worldwide and on different platforms, there is every chance the bot will spread. One piece of good news is that it is only effective on desktop versions of the Chrome browser. If Digmine finds itself on a mobile device or different browser, it does not operate properly, Trend Micro said.
Once downloaded onto a computer, Digmine’s first operation is to install an autostart mechanism and launch Chrome with a malicious extension. It then starts mining and finally connects with the Facebook account’s friend list via Messenger and begins to spread. In order to keep the victim unaware, a video file is streamed from a website that is controlled by the cybercriminal and contains additional components for the malware.
The miner is a variant of the Monero miner XMRig and is downloaded by a codec.exe.
Trend Micro notified Facebook, and the social media company was able to remove many of the Digmine-related links from its platform. Facebook is also telling users that if it believes their system is infected, it will provide a free anti-virus scan.