The mining bot is disguised as a viral video.
Tokyo-based cybersecurity firm Trend Micro discovered a cryptocurrency mining bot in Facebook Messenger. Dubbed “Digmine,” the malware was first found in South Korea and has since spread to Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela. It is expected to rapidly make its way to other countries.
If a Facebook Messenger user has their account set to automatically log in, Digmine will immediately send a disguised video link, typically titled “video_xxxx.zip,” to all of their friends via direct message. If that file is opened, it will execute the malware. Once the bot is planted, an auto-start mechanism will launch Chrome and run a malicious browser extension. Typically, browser extensions can only be downloaded from the Chrome store, but Digmine gives hackers the ability to bypass this step using the command line.
Once everything is in place, a mining module is downloaded onto the victim’s web browser. Known as XMRig, it uses their computer resources to mine Monero, a type of cryptocurrency similar to Bitcoin. The Chrome extension then completes the cycle, sending fake video links to more Facebook users.
The mining bot’s goal is to stay unnoticed for as long as possible, eating up valuable computer CPU resources. Even more concerning is the potential for hackers to take over Facebook accounts.
“The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line,” Trend Micro wrote.
Fortunately, the cryptocurrency mining bot is limited to the desktop (Chrome) version of Messenger. If the video file is opened on other platforms, like the mobile webpage or app, it will not work as intended.
Facebook also reportedly took down many Digmine-related links after Trend Micro disclosed its findings.
“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger,” Facebook said in a statement. “If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners … on facebook.com/help.”
That doesn’t mean you’re in the clear just yet. It’s likely there are still links floating around, and the hackers could choose to tweak the links and start all over again. To protect yourself from Digmine, avoid opening suspicious links, enable your account’s privacy settings, and monitor your computer’s CPU usage.