New Facebook-Spread Malware Triggers Credential Theft, Cryptomining

facebook plain text password

A new malware campaign being rapidly spread on Facebook is infecting users’ systems to perform credential theft, cryptomining, and click fraud.

A new malware campaign rapidly spreading via Facebook is infecting victims’ systems to steal their social media credentials and download cryptomining code.

The malware, dubbed Nigelthorn by the Radware researchers who first discovered it, is being propagated via socially engineered links on Facebook. It has been active since at least March 2018 and has already infected more than 100,000 users globally, they said in a report.

The campaign operators created copies of the legitimate extensions and injected a short, obfuscated malicious script to start the malware operation, Adi Raff, security research team leader at Radware, told Threatpost. This is done to bypass Google’s extension validation checks.

After first detecting the zero-day malware threat at one of Radware’s customers, a global manufacturing firm, researchers named the malware after the main Google Chrome application it leverages: the “Nigelify” application. This legitimate Chrome app replaces pictures with the face of cartoon character Nigel Thornberry, and Radware said that it has been responsible for a large portion of the observed infections.

However, the bad actors are also using other existing, approved Chrome extensions like PwnerLike and iHabno. In all, seven Chrome applications have been discovered laden with the malware. Raff said four of these have been identified and blocked by Google’s security algorithms.

A Google spokesperson told Threatpost: “We removed the malicious extensions from Chrome Web Store and the browsers of the small percentage of affected users within hours of being alerted.”

Attack Process

The attack chain starts with a victim clicking on a malicious link sent via Facebook. “Victims will log into their Facebook and see a personal message from one of their friends, or they’ll be tagged in a post with a malicious link, and a picture sometimes, asking them to click on it,” said Raff.

The link redirects victims to a fake YouTube page and asks the user to install a Chrome extension to play the video.

Once the user clicks on “Add Extension,” one of the seven malicious extensions – most typically Nigelify –  will install the malware onto their system.

“It is important to emphasize that the campaign focuses on Chrome browsers, and Radware believes that users that do not use Chrome are not at risk,” researchers said.

Once executed, the malicious JavaScript downloads an initial configuration from the bad actor’s C2 with a set of requests – including a triple-threat set of plugins that comprise of code for Facebook propogation, cryptomining code and YouTube click fraud.

Triple-Threat Malware 

The Facebook propagation capabilities continue to spread the malware through the victim’s social network – the authenticated users’ Facebook access tokens are generated and the propagation phase begins.

“The malware collects relevant account information for the purpose of spreading the malicious link to the user’s network,” Radware researchers said. “Once the victim clicks on the link, the infection process starts over again and redirects them to a YouTube-like webpage that requires a ‘plugin installation’ to view the video.”

A publicly available, browser-mining tool (Javascript code looking to mine the Monero, Bytecoin or Electroneum currencies) is also downloaded as a plugin to trigger the infected machines to start mining cryptocurrencies.

“At the time of writing, approximately $1,000 was mined over six days, mostly from the Monero pool,” according to the researchers.

As the icing on the cake, the malware also contains a request to steal the victim’s Facebook or Intstagram credentials.

“The malware is focused on stealing Facebook login credentials and Instagram cookies. If login occurs on the machine (or an Instagram cookie is found), it will be sent to the C2,” Radware researchers said in the report. “The user is then redirected to a Facebook API to generate an access token that will also be sent to the C2 if successful.”

The malware contains numerous persistence features as well – for instance, if a user tries to open the extensions tab to remove the extension, the malware closes it and prevents removal. It also downloads  URI Regex from the C2 and blocks users that try to access those patterns.

“As this malware spreads, the group will continue to try to identify new ways to utilize the stolen assets,” said Radware researchers. “Such groups continuously create new malware and mutations to bypass security controls. Radware recommends individuals and organizations update their current password and only download applications from trusted sources.”

Facebook malware campaigns have been cropping up lately on the social media platform – including FacexWorm, a malware in Facebook Messenger that installs on victim’s systems and steals their passwords.

“I think we’ll only see these types of [Facebook-propagated] malware continue in the future,” said Raff.

Suggested articles