Malware that mines virtual currency by infecting via Facebook messenger "FacexWorm"

byhome thods

Malware infected by security company Trend Micro via Facebook messenger "FacexWormWe announced a report about. FacexWorm steals Google account information stored on the infected PC, it hides the user and mining virtual currency and consumes CPU power. Trend Micro is sent by Facebook messenger We are calling attention not to step on the link easily.

FacexWorm Targets Cryptocurrency Trading Platforms, Abuses Facebook Messenger for Propagation - TrendLabs Security Intelligence Blog


FacexWorm is malware discovered in August 2017. In April 2018, activities in Germany, Tunisia, Japan, Taiwan, South Korea and Spain were reported, and it turned out that infection of FacexWorm was rapidly expanding.

FacexWorm sends a link to Facebook friends via Facebook Messenger. When you access the link, you will be redirected to a fake page pretending to be a video streaming site like YouTube.


At the same time, a popup prompting you to install extensions for Chrome appears and permissions and FacexWorm are infected. Also, FacexWorm closes as soon as it detects that the user opens Chrome's "Extensions" settings page (chrome: // extensions /) and interferes with access to the configuration screen. In addition, when accessing with other web browsers, it is only displaying harmless advertisements.


FacexWorm will transfer from your infected PC to your Google account and virtual currency wallet serviceMyMoneroI steal my account. In addition, JavaScript is installed on the redirect destination page, and mining of the virtual currency is done using about 20% of the CPU power. Also, if the user is trading in virtual currency, FacexWorm looks for the address entered when connecting to the transaction page and replaces it with the address specified by the attacker. Trend Micro researchers have announced that FacexWorm has found out that Bitcoin trading for 2 dollars 49 cents (about 270 yen) was made by April 19. The virtual currency transactions to be attacked by FacexWorm are Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Monero (XMR), Ripple (XRP), Litecoin (LTC) Zcash (ZEC) and things.


Since the Chrome Web Store has deleted many of malicious extensions before Trend Micro's report, Facebook messenger can also detect malicious links and prevent spreading infection by blocking it, so FacexWorm Trend Micro has announced that it is sufficiently possible to suppress the spread of infection of the infection.

Like FacexWorm spreading infection via Facebook messenger as virtual currency mining malware as "Digmine"Was also reported in December 2017. Trend Micro calls for responding with sufficient vigilance without accessing defenseless even if the link flew from a good friend.