Crypto mining scripts and bots that inject themselves into browsers and web apps have become an increasingly common pest on the internet.This kind of malware usurps the CPU of unwitting users, turning their computers and phones into devices for mining cryptocurrency–in this case, Monero. Now, a crypto mining bot infecting the Chrome extension version Facebook Messenger has been reported in at least seven different countries.
The crypto craze that has swept the globe has caused an uptick in a variety of cryptocurrency-related scams. A spokesperson for Trend Micro told The Telegraph that the growing popularity of the cryptocurrency mining industry is “drawing attackers back to the mining botnet business.”
The spokesperson went on to explain that a platform like Facebook is ideal for this kind of attack. “Numbers are crucial—bigger victim pools equate to potentially bigger profits. The fact that they’re piggybacking on popular platforms such as social media to spread their malware is unsurprising.”
This particular bot, which has been dubbed “Digimine,” was originally discovered in South Korea by Lenart Berjemo and Hsiao-Yu Shih, who alerted Facebook of their findings. Cryptovest reported that the bot’s presence has mostly been detected across Asia, with a few exceptions–Vietnam, Azerbaijan, Ukraine, Vietnam, the Philippines, Thailand, and Venezuela have all made the list.
Digimine Attaches Itself to Chrome With Efficiency
Although Digimine has been created using the AutoIt programming language, the file containing the bot presents itself as a video file. Additionally, if Facebook Messenger is set to automatically log in, the file will automatically send the user’s friends a link to itself.
The model of self-dispersal and propagation used by Digimine is indicative that there is a good chance that the bot could continue to spread with fervor. A blog post from Trend Micro explained that “Digmine’s interaction with Facebook could get more functions in the future since it’s possible to add more code” from the bot’s C&C (Command and Control) server.
The Digimine file has reportedly been masquerading under the names “thisaworkstation.space,” “mybigthink.space,” and “thisdayfunnyday.space.” Clicking on the file will indeed open site with a video–all part of the decoy. Meanwhile, the bot’s codec.exe component will download miner.exe, “an iteration of an open-source Monero miner known as XMRig,” according to Trend Micro.
If the file containing the bot is opened on any of the other versions of Facebook Messenger (ie mobile), the bot will not be able to function. Only the Chrome extension version of Messenger can be affected.
Facebook’s Lukewarm Response
Despite Digimine’s potential to spread quickly throughout Facebook’s ecosystem, Facebook has not taken any serious action against the bot. A spokesperson for Facebook told the Telegraph that “If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners.”
The spokesperson went on to say that helpful tips on “how to stay secure” could be found in Facebook’s help section.
As always, the best way to stay safe in the crypto space–and any online space, for that matter–is to be informed. Be sure to stay abreast of the crypto scams that continue to show their ugly faces, and you have already done the best that you can do to keep your computer safe.