A zero-day exploiting malware capable of performing credential theft, cryptomining, click fraud and more has already infected more than 100,000 users from over 100 countries
Dubbed NigelThorn, the malware infects users by abusing the Google Chrome extension ‘Nigelify' using copies of legitimate extensions and injecting short obfuscated malicious scripts into them to bypass Google's extension validation checks, according to a May 10 Radware Threat Alert.
The malware earned its name since the original Nigelify app replaces pictures with “Nigel Thornberry,” researchers said in the post.
The malware is spread via socially engineered links on Facebook that redirect victims to a fake YouTube page asking the user to install a Chrome extension, in order to play the video. Once the victim clicks on the “Add Extension” button they are redirected to a Bitly URL, from which will be redirected to Facebook to trick users and retrieve access to their Facebook account via phishing.
NigelThorn is also persistent as it will close the extensions tab if a user looks to remove the malware from their device. The malware also downloads URI Regex from the C2 and blocks users that try to access it.
The threat actors behind the campaign have been active since at least March 2018 has since infected victims in more than 100 countries although 75 percent of the infections come mainly from the Philippines, Venezuela, and Ecuador whereas the other 25 percent is distributed over 97 other countries.