If you have used Facebook, lately, you may have had run-ins with spam bots that infest your profile (or your friends’ profiles) and post links or advertisements without your permission. Well, the same malware that tells your friends to “Check out this link for 90% off a BRAND NEW pair of Ray Bands. WOW!” is now being used to mine cryptocurrency.
You could be mining cryptocurrency without having a clue, all because of a mining bot that spread through Facebook Messenger.
Lenart Bermejo and Hsia-Yu Shih originally talked about it in a Trend Micro report. The malware is called Digimine. It originated in South Korea and spreads through Facebook’s messaging app. It is used to mine Monero. The bot is restricted to Messenger’s desktop user and its Chrome browser extension.
If the user opens the malware on another device, such as Facebook Messenger’s mobile app, the device will not be infected. The report indicated that the bot’s only surrogate is Messenger right now, but it warned that “it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line.”
Like other malware, Digimine can only be downloaded by activating its source link. Disguised as a video file, Digimine is coded into AutoIT which is a freeware scripting language designed for Windows. On the off chance that user open the faux video file, the computer will begin running the AutoIT executable script, and if users have auto login enabled then the bot will automatically send the malware to user Facebook friends via Messenger.
Once it begins running the software, an infected computer connects to the malware’s command-and-control server. This server allocates all of the computing power of infected devices for the purpose of mining Monero, a popular coin.
The more computers that become infected, the higher the mining rate for the central mining operations, meaning that Digimine’s operators can expect a fatter payday.
Monero is an open-source currency created in 2014
So far, Trend Micro has traced this malware to Vietnam, Azerbaijan, Ukraine, the Philippines, Thailand, and Venezuela, adding the caveat: “It’s not far-off for Digimine to reach other countries given the way it propagates.”
In response to the development, Facebook issued the following statement:
“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger.”
If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners.”
In the report, Trend Micro revealed that the malicious links may include the following terms: vijus[.]bid, ozivu[.]bid, thisdayfunnyday[.]space, thisaworkstation[.]space, mybigthink[.]space, mokuz[.]bid, pabus[.]bid, yezav[.]bid, bigih[.]bid, taraz[.]bid, megu[.]info.
The report also lists a number of indicators that may help determine whether or not a device has been infected. For example, if user were to download the malware while using Facebook’s Chrome extension, the malware would terminate and then relaunch Chrome to load Digimine.
If you think your computer has been infected, you can visit facebook.com/help for tips and information on how to move forward.
Image via getmonero