New cryptocurrency mining virus is spread via Facebook

A malicious Chrome extension is now spread via Facebook Messenger, and it is used to target users of cryptocurrency trading platforms to steal their accounts’ credentials.
This extension is named FacexWorm. The malicious extension first appeared in August last year, but now researchers noticed the malware inside it was re-packed with a few new malicious capabilities which include stealing account credentials from websites, like Google and cryptocurrency sites, redirecting victims to cryptocurrency scams, injecting miners on the web page for mining cryptocurrency, and redirecting victims to the hacker’s referral link for cryptocurrency-related referral programs.

This isn’t the first malware spread via Facebook, last year, researchers discovered a Monero-cryptocurrency mining bot, named Digmine, that was spread via Facebook messenger targeting Windows computers, as well as Google Chrome for cryptocurrency mining.
FacexWorm works by sending socially engineered links over Facebook Messenger to the friends of an affected Facebook account to redirect victims to fake versions of popular video streaming websites, like, YouTube.

FacexWorm extension affects only Chrome users, if the malware detects any other web browser on the victim’s computer, it redirects the user to an innocuous-looking advertisement.
FacexWorm malware modus-operandi
If the malicious video link is clicked by a victim using Chrome browser, it will be redirected to a fake YouTube page, where is encouraged to download a malicious Chrome extension masked as a codec extension needed to continue playing the video.
Once installed, FacexWorm Chrome extension downloads more modules from its C&C server to perform various malicious tasks.
Then every time a victim opens a new webpage, FacexWorm will query its C&C server to find and retrieve another JavaScript code and execute its behaviors on that webpage.

Because the extension takes all the extended permissions at the time of installation, the malware can access or modify data for any websites the user opens.
To stay away from such threats, we recommend the install of antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your device is running.
If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests; they are essential because an infection that uses malware coin miners is hazardous for every company.

FacexWorm malware can:
• Spread itself further like a worm, the malware requests OAuth access token for the Facebook account of the victim, using which it then automatically obtains the victim’s friend list and sends that malicious, fake YouTube video link to them.
• Steal the victim’s account credentials for Google, MyMonero, and Coinhive.
• Inject cryptocurrency miner to web pages opened by the victim.
• Hijacks the user’s cryptocurrency-related transactions by locating the address keyed in by the victim and replacing it with the one provided by the attacker.
• If the victim has accessed one of the 52 cryptocurrency trading platforms or typed keywords like “blockchain,” “eth-,” or “ethereum” in the URL, FacexWorm will redirect the victim to a cryptocurrency scam webpage to steal user’s digital coins.
• Avoid detection or removal by immediately closing the opened tab when it detects that the victim is opening the Chrome extension management page.
• Gets a referral incentive every time a victim registers an account on Binance, DigitalOcean,,, or HashFlare.

Cryptocurrencies targeted by FacexWorm include Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR).
The FacexWorm malware is present in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain.
Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running,
If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.