Cybersecurity researchers are warning users about a new malware campaign that is undergoing since this March. The newly discovered malware campaign has already infected more than 100,000 victims worldwide.
The malware, named Nigelthorn, is rapidly spreading through socially engineered links on Facebook and is infecting victims’ devices with various malicious browser extensions that will steal their social media credentials, install cryptocurrency miners, and engage them in click fraud.
The malware was included in at least seven different Chrome browser extensions, which are all hosted on Google’s official Chrome Web Store.
According to a report, the hackers behind this malware are using copies of legitimate Google Chrome extensions. They are injecting some kind of obfuscated malicious script into them to bypass Google’s extension validation checks.
Hackers spread Nigelthorn by using various malicious links via Facebook
Nigelthorn is promoted via socially engineered links on Facebook, which if accessed redirects victims to a fake YouTube page that will ask them to download a malicious Chrome extension to continue playing the video.
A similar malware, named Digimine, it is also spread via socially engineered links over Facebook Messenger. Digimine also installs a malicious extension, which will allow hackers to access the victims’ Facebook profile and spread the same malware to their friends’ list via Messenger.
Digimine and Nigelthorn are not the only ones, another one named FacexWorm, that is distributed in the same way as the previous two, will also redirect its victims to a fake YouTube page that will persuade them to install a malicious Chrome extension.
After making a malware analysis on NigelThorn, researchers found that it is used to steal password for Facebook and Instagram accounts.
The new malware focuses on stealing credentials for victims’ Facebook and Instagram accounts and collecting details from their Facebook accounts.
Remember that only the presence of antivirus for Windows or antivirus for Mac gives you the protection against hacker attacks. Also, remember that tests like penetration test and ethical hacking tests are now available for any company that wants to tighten their security.
This stolen information is later used to send malicious links to victim’s friends in an attempt to push the same malicious extensions further. If any of the friends click on the link, the whole infection will start over again.
NigelThorn it is also capable of making downloads of a browser-based cryptocurrency mining tool that will use the infected systems to mine cryptocurrencies, like Monero, Bytecoin or Electroneum.
In just six days, NigelThorn generated for the hackers behind it around $1,000 in Monero.
Be aware! Nigelthorn has incorporated a protection system that will prevent victims from removing the malicious extensions. Its protection will automatically close the malicious extension tab each time the victim opens it.
The same malware will also blacklist a variety of cybersecurity solution tools offered via Facebook and Google and will even prevent victims from making edits, deleting posts and making comments.
This is the list of all seven extensions masquerading as legitimate extensions:
• Divinity 2 Original Sin: Wiki Skill Popup
At this moment Google has removed all of the above-listed extensions if you have installed any of them, we advised to immediately remove it and change passwords for your Facebook, Instagram and as well as for other accounts that are using the same credentials.
Facebook spam campaigns are a ubiquitous cybersecurity threat, that’s why users must be vigilant when clicking on links or files promoted via the social media platform.
To stay away from such threats, we recommend the install of antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your device is running.
If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests. Also, if your business exists 100% online, we recommend the use of cyber-secured web hosting services.