Trend Micro said they had also detected one bitcoin transaction compromised by FacexWorm
A revamped malicious Google Chrome extension has been targeting cryptocurrency exchanges, cybersecurity company Trend Micro reported this week.
Trend Micro, in a blog post, dubbed the extension FacexWorm and said that its capabilities have been “made over” in its new avatar.
“It retains the routine of listing and sending socially engineered links to the friends of an affected Facebook account, just like Digmine. But now it can also steal accounts and credentials of FacexWorm’s websites of interest,” Trend Micro said.
“It also redirects would-be victims to cryptocurrency scams, injects malicious mining codes on the webpage, redirects to the attacker’s referral link for cryptocurrency-related referral programs, and hijacks transactions in trading platforms and web wallets by replacing the recipient address with the attacker's.”
Trend Micro said they had also detected one bitcoin transaction compromised by FacexWorm. Though, the company added that they were not sure how much has been earned from the malicious web mining.
The extension was first exposed in August 2017 and it initially used Facebook Messenger to target people. A link would be sent to Facebook users which would redirect to a fake YouTube page that will ask unwitting users to agree and install a codec extension (FacexWorm) in order to play the video on the page. It will then request privilege to access and change data on the opened website.
Once installed and granted permissions, the extension starts its malicious activities by contacting its command centre.
It basically is a clone of a normal Chrome extension but injected with short code containing its main routine, Trend Micro said.
Apart from capable of attacking trading platforms Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and the wallet Blockchain.info, it pushes a cryptocurrency scam by manipulating users to send ethereum. Though, the cybersecurity company did not find anyone actually transferring the cryptocurrency.
The company reported that Chrome removed many of the FacexWorm extensions prior to Trend Micro's discovery. Moreover, the Facebook Messenger is also capable to detect and block the insidious links the malware uses.Google Chrome banned cryptocurrency mining extensions from its Web Store in early April.