FacexWorm is a malware that spreads to Facebook users via a malicious link in a Facebook Messenger chat. When the link is clicked, it redirects the user to a fake YouTube page that gives instructions to install a YouTube-themed Chrome extension in the browser. First uncovered in August 2017, FacexWorm has expanded its capabilities to being able to carry out multiple malicious behaviors. First, the malware is designed to detect when a victim visits a website's login page for Google, MyMonero, and Coinhive, then steals and sends the credentials from the login form and sends it to its C2 server. When the victim visits one of the 52 cryptocurrency trading platforms that the malware targets, they will be redirected to a scam page which instructs them to send Ether cryptocurrency to the attacker for validation, with promises of getting the money back with interest. When the victim initially downloads the malicious extension, a JavaScript cryptocurrency miner called Coinhive that mines the Monero Cryptocurrency is installed. If a cryptocurrency-related website is visited by the victim, the attacker will change the receiving wallet address of a transaction to an address controlled by the threat actor.

Reporting and Technical Details

  • April 2018: FacexWorm Targets Cryptocurrency Trading Platforms, Abuses Facebook Messenger for Propagation. (Trend Micro)