FacexWorm Targets Cryptocurrency Trading Platforms, Abuses Facebook Messenger for Propagation

FacexWorm Targets Cryptocurrency Trading Platforms, Abuses Facebook Messenger for Propagation (Apr 30, 2018)

Trend Micro researchers have found that the malicious Chrome extension, dubbed “FacexWorm,” has added new features to its malicious capabilities. The malicious extension uses Facebook Messenger for distribution by directing message recipients to a Youtube page that asks the user to install a codec extension; the codec extension is FacexWorm. Installation of the extension results in a request for the privilege to access and change data on a website. These permissions allow FacexWorm to install cryptocurrency miners on web browsers, and hijacks transactions by replacing a user’s wallet with one owned by the threat actor(s) controlling the malware, among other theft techniques.

Recommendation: Free applications should be regarded with the utmost scrutiny before they are downloaded because as this story depicts, free software can sometimes come with security risks. Additionally, keeping track of the applications used by your company is important because unknown applications discovered on machines may indicate an infection. The same method should also be applied to web browser add-ons.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.