Digmine Malware Spreading via Facebook Messenger

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

LASER_oneXM

Level 22
Content Creator
Feb 4, 2016
1,198
Operating System
Windows 8.1
Installed Antivirus
Kaspersky
#1
Users across several countries are being targeted in a campaign that delivers a new strain of malware named Digmine that installs a Monero cryptocurrency miner and a malicious Chrome extension which helps it propagate to new victims.

The malware spreads via Facebook Messenger, which is Facebook's official instant messaging platform.

Digmine spread via Faceboom DMs
Victims usually receive a file named video_xxxx.zip (where xxxx is a four-digit number) that tries to pass as video file. The archive hides an EXE file. Users careless enough the run the file will infect themselves with Digmine.

Under the hood, Digminer is written in AutoIt and has little features except to contact a remote command-and-control (C&C) server for instructions.

A South Korean security researcher named c0nstant and experts from Trend Micro say that currently, the C&C server sends back to victims a Monero miner and a Chrome extension.

Digminer also adds a registry-based autostart mechanism, and then installs the Monero miner and the Chrome extension it just received.

Normally, Chrome extensions can only be loaded from the official Chrome Web Store, but in this case, the attackers are installing the malicious extension via a clever trick that uses Chrome application command-line parameters.
Digmine spread via Faceboom DMs
Victims usually receive a file named video_xxxx.zip (where xxxx is a four-digit number) that tries to pass as video file. The archive hides an EXE file. Users careless enough the run the file will infect themselves with Digmine.

Under the hood, Digminer is written in AutoIt and has little features except to contact a remote command-and-control (C&C) server for instructions.

A South Korean security researcher named c0nstant and experts from Trend Micro say that currently, the C&C server sends back to victims a Monero miner and a Chrome extension.

Digminer also adds a registry-based autostart mechanism, and then installs the Monero miner and the Chrome extension it just received.

Normally, Chrome extensions can only be loaded from the official Chrome Web Store, but in this case, the attackers are installing the malicious extension via a clever trick that uses Chrome application command-line parameters.
Facebook intervened and stifled current campaign
Trend Micro said they reached out to Facebook. The social network removed the malicious links from people's Messenger conversations, but the reality is that the Digmine crew can easily change the current distribution links and start a campaign anew.