Barkly vs Malware
Barkly Research
Jan 2018

Cryptocurrency-Mining Malware Spreads via Facebook Messenger

crypto-mining-malware

Bitcoin may be crashing, but crypto-mining malware is steadily on the rise. Learn how a variant called Digmine is infecting Facebook Messenger users and hijacking their CPU power to mine Monero.

For the vast majority of cyber criminals, the reason for hijacking a victim’s computer ultimately comes down to making a buck. While the last few years have seen criminals flock to ransomware as an effective method of monetizing their attacks, during the past six months we’ve seen another dramatic shift in tactics. Instead of holding encrypted files ransom and hoping victims will fork over cryptocurrency, now more and more attackers are effectively cutting out the (often unwilling) middleman and hijacking compromised computers to mine cryptocurrency, directly.

According to Check Point’s Global Threat Index, two of the three most prevalent malware variants in December 2017 were cryptocurrency-miners. The company also estimates 55 percent of organizations worldwide have been affected by malicious cryptocurrency mining.

With this threat clearly on the rise, let’s take a closer look at a specific crypto-mining malware campaign researchers at TrendMicro spotted in late December.

Using Facebook Messenger to spread Digmine malware

First observed infecting victims in South Korea, Digmine malware was able to quickly propagate throughout a large number of additional countries thanks to its use of a near-ubiquitous delivery platform — Facebook Messenger.

Disguised as a video file, Digmine was sent to victims from contacts they knew (who had been previously infected). The malware is coded in AutoIt (a Windows scripting language) and only runs on Facebook Messenger’s desktop/web browser (Chrome) version. In addition to infecting any victim who opens the file, if the victim's Facebook account is set to log in automatically Digmine is programmed to send the fake video link out to all of their Facebook contacts, spreading the malware even further. 

Digmine-Facebook-Messenger-Lure.png

Digmine delivered via Facebook Messenger. Source: TrendMicro

Once running on an infected machine, Digmine sets up shop by downloading several components from the attacker's command and control server and installing an autostart mechanism in the registry to ensure it gets loaded again after reboots. It then launches Chrome loaded with a malicious extension, or, if Chrome is already running, it shuts down the browser and relaunches it with the malicious extension loaded. 

From there, Digmine's goal is to maintain its presence on the victim's computer for as long as possible while it quiety diverts its CPU power to mining Monero. 

The Digmine Infection Chain

Digmine-Cryptomining-Malware-Attack-Diagram.png

Click to expand

  • Once the fake video file is opened the Digmine downloader first connects to the C&C server to download multiple components and stores them in the %appdata%\<username> directory.
  • Digmine then performs generic checks and installs a registry autostart mechanism along with a system infection marker.
  • It then launches the Chrome browser application with a malicious extension loaded directly from the command line, which bypasses restrictions designed to limit extensions to only those loaded and hosted from the Chrome Web Store. Note: If Chrome is already running, then Digmine will close and relaunch Chrome to ensure the malicious extension is loaded.
  • The Chome extension receives instructions from the C&C server to either proceed with logging in to the Facebook account or opening a decoy web page with a video being played. The site holds additional configurations required for the malware’s infection and propagation.

Digmine-Facebook-Messenger-Malware-Video.png

Web page disguised as a video streaming site distracts victims while Digmine installs various malicious components. Source: TrendMicro

 

  • The browser extension is also responsible for the propagation of this malware. If the victim has Facebook auto-login enabled, the malicious browser extension can interact with their account and share the malware link with their contacts. 

Monero mining component

Behind this entire charade, the miner module (miner.exe) is downloaded by the management component codec.exe. The management component connects to another C&C server to retrieve the miner along with its configuration files.

The miner.exe is a version of an open-source Monero miner known as XMRig that runs in the background.

Digmine-miner-exe.png

Digmine delivered via Facebook Messenger. Source: TrendMicro

 

During the last few months there have been numerous reports of cybercriminals moving away from Bitcoin in favor of Monero in droves — primarily due to the fact that Monero provides them with even greater anonymity. It also doesn't hurt that Monero's price quadrupled during the last two months of 2017, and has climbed another 7 percent in January. 

As Bleeping Computer reports, the number of attack campaigns spreading Monero-mining malware is growing at a rapid clip.  

Watch Barkly block this attack before the miner is even downloaded

Barkly-vs-Digmine-Malware-Attack-Diagram.png

Click to expand

Because the goal of cryptocurrency mining malware is to propogate, gain persistence, and evade detection for as long as possible, it's important to block infections at the outset, before the malware has a chance to establish a foothold. 

Barkly is designed to do just that, blocking Digmine and malware like it before it can hijack any computer resources or do any damage at all. 

Digmine-Malware-Blocked-by-Barkly.gif

Barkly blocks the fake video file before it can connect to the C&C server

Crypto-mining malware is already shaping up to be one of the most prolific threats users and organizations will face this year. Make sure you're protected with smarter endpoint security designed to evolve along with the latest attacks

 

Digmine hashes:

  • beb7274d78c63aa44515fe6bbfd324f49ec2cc0b8650aeb2d6c8ab61a0ae9f1d
  • f7e0398ae1f5a2f48055cf712b08972a1b6eb14579333bf038d37ed862c55909
Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.

blocks-attack-grey-circle.svg

Close the gaps in your security

See how Barkly blocks attacks other solutions miss.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.