Digmine Malware Spreading via Facebook Messenger

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Users across several countries are being targeted in a campaign that delivers a new strain of malware named Digmine that installs a Monero cryptocurrency miner and a malicious Chrome extension which helps it propagate to new victims.

The malware spreads via Facebook Messenger, which is Facebook's official instant messaging platform.

Digmine spread via Faceboom DMs
Victims usually receive a file named video_xxxx.zip (where xxxx is a four-digit number) that tries to pass as video file. The archive hides an EXE file. Users careless enough the run the file will infect themselves with Digmine.

Under the hood, Digminer is written in AutoIt and has little features except to contact a remote command-and-control (C&C) server for instructions.

A South Korean security researcher named c0nstant and experts from Trend Micro say that currently, the C&C server sends back to victims a Monero miner and a Chrome extension.

Digminer also adds a registry-based autostart mechanism, and then installs the Monero miner and the Chrome extension it just received.

Normally, Chrome extensions can only be loaded from the official Chrome Web Store, but in this case, the attackers are installing the malicious extension via a clever trick that uses Chrome application command-line parameters.
Click to expand...

Digmine spread via Faceboom DMs
Victims usually receive a file named video_xxxx.zip (where xxxx is a four-digit number) that tries to pass as video file. The archive hides an EXE file. Users careless enough the run the file will infect themselves with Digmine.

Under the hood, Digminer is written in AutoIt and has little features except to contact a remote command-and-control (C&C) server for instructions.

A South Korean security researcher named c0nstant and experts from Trend Micro say that currently, the C&C server sends back to victims a Monero miner and a Chrome extension.

Digminer also adds a registry-based autostart mechanism, and then installs the Monero miner and the Chrome extension it just received.

Normally, Chrome extensions can only be loaded from the official Chrome Web Store, but in this case, the attackers are installing the malicious extension via a clever trick that uses Chrome application command-line parameters.
Click to expand...

Facebook intervened and stifled current campaign
Trend Micro said they reached out to Facebook. The social network removed the malicious links from people's Messenger conversations, but the reality is that the Digmine crew can easily change the current distribution links and start a campaign anew.
Click to expand...
 
  • Like
Reactions: Daljeet and harlan4096
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
Security News Fake Google Meet conference errors push infostealing malware
Replies
2
Views
1,321
Security News
Andy Ful
Andy Ful
[correlate]
    • Like
Security News NGate Android malware relays NFC traffic to steal cash
Replies
0
Views
1,422
Security News
[correlate]
[correlate]
Gandalf_The_Grey
    • Like
    • +Reputation
    • Wow
Malware News Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs
Replies
13
Views
2,917
Security News
Trident
Trident

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top