Digmine Malware Spreading via Facebook Messenger

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Users across several countries are being targeted in a campaign that delivers a new strain of malware named Digmine that installs a Monero cryptocurrency miner and a malicious Chrome extension which helps it propagate to new victims.

The malware spreads via Facebook Messenger, which is Facebook's official instant messaging platform.

Digmine spread via Faceboom DMs
Victims usually receive a file named video_xxxx.zip (where xxxx is a four-digit number) that tries to pass as video file. The archive hides an EXE file. Users careless enough the run the file will infect themselves with Digmine.

Under the hood, Digminer is written in AutoIt and has little features except to contact a remote command-and-control (C&C) server for instructions.

A South Korean security researcher named c0nstant and experts from Trend Micro say that currently, the C&C server sends back to victims a Monero miner and a Chrome extension.

Digminer also adds a registry-based autostart mechanism, and then installs the Monero miner and the Chrome extension it just received.

Normally, Chrome extensions can only be loaded from the official Chrome Web Store, but in this case, the attackers are installing the malicious extension via a clever trick that uses Chrome application command-line parameters.
Click to expand...

Digmine spread via Faceboom DMs
Victims usually receive a file named video_xxxx.zip (where xxxx is a four-digit number) that tries to pass as video file. The archive hides an EXE file. Users careless enough the run the file will infect themselves with Digmine.

Under the hood, Digminer is written in AutoIt and has little features except to contact a remote command-and-control (C&C) server for instructions.

A South Korean security researcher named c0nstant and experts from Trend Micro say that currently, the C&C server sends back to victims a Monero miner and a Chrome extension.

Digminer also adds a registry-based autostart mechanism, and then installs the Monero miner and the Chrome extension it just received.

Normally, Chrome extensions can only be loaded from the official Chrome Web Store, but in this case, the attackers are installing the malicious extension via a clever trick that uses Chrome application command-line parameters.
Click to expand...

Facebook intervened and stifled current campaign
Trend Micro said they reached out to Facebook. The social network removed the malicious links from people's Messenger conversations, but the reality is that the Digmine crew can easily change the current distribution links and start a campaign anew.
Click to expand...
 
  • Like
Reactions: Daljeet and harlan4096
You must log in or register to reply here.

Similar threads

[correlate]
    • Like
MSSQL Databases Under Fire From FreeWorld Ransomware
Replies
0
Views
792
News Archive
[correlate]
[correlate]
silversurfer
    • Like
    • +Reputation
USB drive malware attacks spiking again in first half of 2023
Replies
0
Views
1,046
News Archive
silversurfer
silversurfer
MuzzMelbourne
    • Like
    • Thanks
Fake ChatGPT Chrome Extension Hijacking Facebook Accounts for Malicious Advertising
Replies
3
Views
1,023
News Archive
ForgottenSeer 98186
F

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top