New FaceWorm Malware Targets Crypto Users & Spreads Via Facebook Messenger
Cybersecurity research firm TrendMicro has identified a new malware targeting cryptocurrency trading platforms. That malware, dubbed “FacexWorm”, spreads via Facebook Messenger and specifically targets cryptocurrency exchanges.
The malware was first uncovered in August 2017. However, in April 2018, TrendMicro noticed a spike in activities.
The malware has been spotted affecting users in Germany, Japan, Taiwan, South Korea, Spain, and Tunisia.
FacexWorm uses a variety of techniques to target cryptocurrency users. You receive the virus through Facebook Messenger. Then, the virus implements various actions to make money. The virus will scan for cryptocurrency credentials entered through your browser, for example. It can also hijack transactions, redirect you towards cryptocurrency scams, and run mining scripts through your browser.
Most infections occurred via Facebook Messenger. However, a small number of infections occurred via Chrome extensions. Google has since removed these extensions from its online store.
How Does FacexWork Work?
FacexWorm spreads via Facebook Messenger, using similar tactics to other viruses. The virus will send socially-engineered links to friends via Messenger. The message entices users to click on the infected URL.
One common tactic used by FacexWorm is to send users a single emoji accompanied by a URL. That URL sends users to a page that seems identical to YouTube. When you visit the page, you’ll see a pop-up prompting you to install a codec extension in order to play the video.
That extension – which is actually FacexWorm – will request privileges to access and change data on the opened website. At this point, you’ve been infected with FacexWorm and the virus will go to work.
What Does FacexWorm Do?
Once you’ve been infected with FacexWorm, the virus can steal your account information and credentials on cryptocurrency exchange websites. After installation, the virus will download additional malicious codes from its command and control (C&C) server, then open Facebook’s website and begin sending messages to other users.
FacexWorm has also been spotted hijacking transactions in trading platforms and web wallets by replacing the recipient address with the attacker’s address.
In other words, FacexWorm won’t actually take control of your cryptocurrency exchange. However, the virus will automatically replace crypto wallet addresses with the address of the attacker. You might think you’re sending funds to a legitimate address, but in reality, they’re being sent to the attacker.
This may sound frightening, but it’s not currently a major issue: TrendMicro has only identified a single bitcoin transaction caused by a compromised FacexWorm browser.
Even if you don’t log into a cryptocurrency exchange with an infected browser, FacexWorm will still target you through cryptocurrency scams. FacexWorm will redirect you to cryptocurrency scams when you try to search or visit an ordinary website, for example.
FacexWorm has also been spotted injecting malicious mining code into webpages. It’s unclear how much money the company has earned through malicious web mining activities.
Ultimately, FacexWorm is a complex and multi-faceted virus targeted towards crypto users. However, it can also affect virtually any internet user by pushing them towards referral-based crypto scams or hijacking websites in order to mine cryptocurrencies. The virus spreads via infected Facebook Messenger links.
To learn more about FacexWorm and how it works, visit TrendMicro’s official blog post here.