Malware "Nigelthorn" that takes over account hijacking and mining virtual currency by disguising as Google Chrome extension

Security company'sRadwareMalware that performs hijacking of accounts and mining virtual currency etc. as a result of analyzing communication log by machine learning algorithm as a result of appearance as Chrome's extended function "Nigelthorn"We have reported that we discovered. Nigelthorn has already been reportedFacexWormIt is spreading through Facebook as well as it, according to Radware it already has over 100,000 users infected in more than 100 countries.

Nigelthorn Malware Abuses Chrome Extensions to Cryptomine and Steal Data | Radware Blog
https://blog.radware.com/security/2018/05/nigelthorn-malware-abuses-chrome-extensions/

Nigelthorn uses the Facebook account of the infected user and sends a malicious link to a friend. If you step on a sent malicious link, the user who accessed the link will be redirected to a fake page pretending to be YouTube. A popup will appear to install extensions for Chrome to stream the movie, if you allow this, Nigelthorn will be installed. Nigelthorn closes as soon as an infected user detects that Chrome's "Extensions" settings page (chrome: // extensions /) has opened, interferes with access to the configuration screen. In addition to that, it also blocks deleting posts on Facebook and creating comments.


With this tool, the victim's PC sneaks the virtual currency sneakily in the background and its earnings are sent to the attacker. Radware reports about $ 1,000 (about 110,000 yen) in Monero · Bytecoin · Electroneum is being mined by Nigelthorn. Also, Nigelthorn is stealing the Facebook login credentials and Instagram's cookie, and if you log in with an infected PC, that information will be sent to the attacker.

An attacker who created Nigelthorn inserts a malicious short script in an incomprehensible manner into an existing extension program and publishes it to the Chrome Web Store as it is. Radware is a way to clear the code check by Google. According to Radware's research group, malicious extension of the same type as Nigelthorn already detected 7 types, 4 of which are already identified and blocked by Google security.


Nigelthorn works on both Windows and Linux, pretending to be extensions to Chrome, so it works as long as you are using infected Chrome. Radware has gathered statistics from the Chrome Web Store statistics and URL shortening service etc. As a result, more than 75% of the infected users reach the Philippines, Venezuela, Ecuador, and the total is over 100,000 .

FacexWorm andDigmineThere have been several reports of malware that steals account information pretensed as an extension of Chrome and secretly skips mining of virtual currency, but Nigelthorn is changing the extension to be copied more and more , And because it is a system that avoids deletion and detection in order to spread malware, Radware argues that it is difficult to stop spreading infection, and we recommend that you change the account password for individuals and organizations I will.