A new form of malware known as Digmine is quickly making its rounds on Facebook’s Messenger platform.
The malware was first noticed in South Korea. After the malware had spread in South Korea, it spread to other countries like Ukraine, Vietnam and Thailand, and will soon spread to all other countries as well, seeing the trend.
Facebook Messenger App
The Digmine malware is being propagated through the Facebook Messenger application.
Though the app runs on several platforms including mobile phones, the malware has only affected the Chrome browser and the desktop version of the Messenger app.
According to Trend Micro, a Tokyo-based cybersecurity organization, the Digmine malware does not affect other platforms, even if users open the file.
In their research report, Trend Micro experts indicated that the mining bot has been created in such a way that it can disguise itself in the form of a non-embedded file, with the name of video_xxxx.zip.
However, in reality, the file contains a script that is executable, the AutoIt script.
Earning Monero
The latest Digmine malware infecting devices through Facebook Messenger is a botnet that targets devices in order to make Monero, a digital currency similar to Bitcoin.
The creators are targeting computers in order to earn Monero, and the malware can also completely take over the victim’s Facebook account.
The rising value of cryptocurrencies is one of the reasons why cyber attackers are designing such malware, infecting more and more computers with the malicious programs so they’re able to mine these currencies remotely.
Once the person clicks on the malware file, it infects the system and starts downloading other related files from the C&C server.
It installs the miner.exe, which is another version of the Monero miner, called the XMRig.
This program will be able to mine Monero silently in the system background so the hackers will be able to use the currency using the CPU of the victim’s computer.
How it Works
According to Trend Micro, the botnet known as Digmine appears in the form of video files and spreads through Google Chrome on the PC version of Facebook Messenger.
This means that if a user opens the malware file on a mobile phone, it will not function as meant to, though it could still be dangerous.
The Digmine malware can completely take over the person’s Facebook account.
In addition, it can also make the victim’s computer slow and target their Facebook friends as well.
If a person’s account has been set for automatic login for Facebook, the malware can easily send links of the files to the person’s friends.
The Dangers
As of now, the malware is designed for propagation. However, within a matter of time, it can hack the victim’s Facebook account.
This is expected because the code comes from a C&C server, which means that the creators can update it whenever they wish.
The Digmine malware usually remains in the person’s computer for a long time and infects as many devices as possible so that the hash rate is increased, leading to more income for the cybercriminals behind the malware.
How it Uses Chrome
In addition, the malware can install a registry autostart procedure as well as device infection markers.
It will have the ability to start Chrome and download malware browser extensions from the C&C server.
In addition to this, the Digmine malware also has the ability to stop Chrome and launch it freshly, in case Chrome is running on the device.
Normally, web extensions for Chrome have to be availed from the Chrome store on the internet.
However, the Digmine malware is able to avoid this by launching Chrome using the command line.
The malware will be able to give instructions to the extension for proceeding with a Facebook login or for opening another fake page that can run the video, according to Trend Micro research results.
The new fake page or decoy site is also an essential part of the C&C structure.
It acts like a video streaming website, but it actually contains the malware parts configuration.
Taking Precautions
As of now, if you receive video files that are contained in zip archives and the message has been sent to you by one of your Facebook Messenger contacts, be alert and don’t click on the file.
However, the good news is that Facebook has now taken off many of the malware files from the Messenger site after being notified by the researchers.
Still, users must continue to be vigilant while clicking on a link or opening a file on the platform.