A malicious Google Chrome extension, dubbed FacexWorm, has been targeting cryptocurrency exchanges via Facebook Messenger, according to researchers at Trend Micro.
FaceExWorm was first identified last August by Kaspersky Labs researcher David Jacoby as malware using Facebook Messenger to infect victim’s systems. It was unclear at that time exactly how it operated, or the reason behind its creation. After a series of links to fake websites from a video that appears in the target’s Messenger, the user was asked to download a malicious Google Chrome extension from the Google web store; however, the file which should have been downloaded was not available at that time. Nonetheless, the malware creators would have been making money from ads and getting access to Facebook accounts.
Eight months later, on April 8th, Trend Micro noticed activities that resembled the same malware spread out across a range of countries, including Tunisia, Germany, Spain, Japan, Taiwan, and South Korea. Joseph C Chen, fraud researcher for Trend Micro, noted the malicious Chrome extension uses “a miscellany of techniques to target cryptocurrency trading platforms accessed on an affected browser and propagates via Facebook Messenger”.
The new version of the malware operates similarly to the old version with a new twist. It retains the initial hook of sending socially engineered links to friends from an affected Facebook Messenger account in order to trick them into installing the malicious extension as a codec extension, offered when they clicked a link from Facebook Messenger to a YouTube video. It is then able to steal the account and credential details of users.
However, the new FacexWorm is also able to affect cryptocurrency fraud by placing malicious cryptocurrency mining codes on a website and redirecting users to a fake referral link for cryptocurrency related programs. It also hijacks cryptocurrency transactions allowing it to steal currency from various platforms, including Bitfinex, Binance, Ethfinex, HitBTC, Poloniex, along with crypto wallets such as Blockchain.info, by replacing the recipient address with the attackers.
After checking the attacker’s address/wallet, TrendMicro had so far only found one Bitcoin transaction actually compromised by FacexWorm. When TrendMIcro reported the problem to Chrome, it had already removed many of the fake extensions, and has now taken full measures to remove and stop attackers from uploading FacexWorm into their browser. Facebook Messenger has also issued a series of steps to detect and prevent uploads of FacexWorm by attackers. TrendMicro encourages users to exercise caution when sharing information with friends on Messenger.