Malware virus is spreading through Facebook

A virus that hijacks users devices and uses them to mine cryptocurrencies is spreading fast through Facebook.

Cybersecurity experts are warning users to be cautious when clicking links to videos, even when sent from a friend.

Computer virus researchers from Trend Micro are warning of a malicious Chrome extension that is spreading through Facebook Messenger.

The malware is targeting users of cryptocurrency trading exchanges in a bid to steal their accounts’ credentials.

The virus technique, dubbed FacexWorm, first emerged in August last year.

Earlier this month, however, researchers noticed the virus was re-packed a few new malicious capabilities.

The malware is now capable of stealing account credentials from websites like Google and cryptocurrency sites.

Cryptocurrency Mining Virus Spreads Through Facebook

It can also redirect victims to cryptocurrency scams, inject crypto mining software on the web page, and redirecting victims to the attacker’s cryptocurrency-related referral programs.

It isn’t the first time the social media site has been used to spread malware through its Facebook Messenger.

Researchers at Trend Micro discovered a Monero cryptocurrency mining bot last year dubbed Digmine.

The virus was spreading through Facebook Messenger and targeting Windows PCs and Google Chrome to mine crypto.

Cryptocurrency Mining Virus Spreads Through Facebook
Similar to Digmine, FacexWorm also sends socially engineered links through Facebook Messenger to the friends of an affected Facebook user.

The virus then redirects victims to fake versions of familiar video streaming websites, such as YouTube.

The FacexWorm extension itself is only been designed to target Chrome users.

However, if the malware detects a different web browser on the victim’s device, it redirects the user to a phishing website.

How does the virus work?

If a user clicks on the malicious video link, it opens using Chrome browser and FacexWorm redirects the victim to a fake YouTube site.

The user is then urged to download an innocent-looking Chrome extension as a codec extension that’s “needed” to play the video.

Once the extension is installed, the virus downloads more modules from its control server to perform a variety of malicious tasks.

In a statement about the worrying malware, the researchers explain:

“FacexWorm is a clone of a normal Chrome extension but injected with shortcode containing its main routine.

“It downloads additional JavaScript code from the C&C server when the browser is opened.

“Every time a victim opens a new webpage, FacexWorm will query its C&C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviors on that webpage.”

The malware can access or modify data for any website the user visits since the extension applies all the extended permissions at the time of installation.

Below is a brief outline of what FacexWorm virus can perform:

  • To spread itself further like a worm, the malware requests OAuth access token for the Facebook account of the victim, using which it then automatically obtains the victim’s friend list and sends that malicious, fake YouTube video link to them as well.
  • Steal the user’s account credentials for Google, MyMonero, and Coinhive, when the malware detects that the victim has opened the target website’s login page.
  • FacexWorm also injects cryptocurrency miner to web pages opened by the victim, which utilizes the victim computer’s CPU power to mine Cryptocurrency for attackers.
  • FacexWorm even hijacks the user’s cryptocurrency-related transactions by locating the address keyed in by the victim and replacing it with the one provided by the attacker.
  • When the malware detects the user has accessed one of the 52 cryptocurrency trading platforms or typed keywords like “blockchain,” “eth-,” or “ethereum” in the URL, FacexWorm will redirect the victim to a cryptocurrency scam webpage to steal user’s digital coins. The targeted platforms include Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and the wallet
  • To avoid detection or removal, the FacexWorm extension immediately closes the opened tab when it detects that the user is opening the Chrome extension management page.
  • The attacker also gets a referral incentive every time a victim registers an account on Binance, DigitalOcean,,, or HashFlare.

Cryptocurrency Mining Virus Spreads Through Facebook

Up until April 19, Trend Micro has only found one Bitcoin transaction that was compromised, with a value of just $2.49.

They don’t know how much the hackers have earned through malicious cryptocurrency mining, however.

Embedded in the virus is a list of cryptocurrencies the hijackers were targetting.

These include Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR).

So far, the malware has been surfacing in Japan, Taiwan, South Korea, Germany, Tunisia, and Spain.

It is likely that the malware is being spread globally though, due to Facebook Messenger being used worldwide.

After notified by Trend Micro researchers, Chrome Web Store removed many of the malicious extensions.

The attackers continue to keep uploading it back to the store, however.

Users are advised to be vigilant when clicking on links and files provided via Facebook.