FacexWorm Malware Spreading via Facebook Messenger

Trend Micro researchers have discovered a new malware variant spreading to Facebook users. Dubbed FacexWorm, the malware is distributed via a malicious link in a Facebook Messenger chat. If clicked, the link redirects users to a fake YouTube page where they are instructed to install a YouTube-themed Chrome extension in their browser. When downloaded, the extension conducts a number of malicious activities. The malware can steal login credentials when the user accesses certain sites and sends those credentials to C2 servers controlled by the threat actor. If the victim accesses any of the 52 cryptocurrency-related sites hardcoded into the extension, they are redirected to a web page that asks them to verify their account by sending Ether cryptocurrency to an account controlled by the threat actor. If any transactions are performed on these sites, FacexWorm can replace the recipient’s cryptocurrency wallet address with one linked to the threat actor. The extension also injects an obfuscated Coinhive script onto the infected system, using the system’s CPU resources to mine cryptocurrency. This campaign is perpetuated by using the compromised user’s Facebook account to send their friends the same malicious link via Facebook Messenger. The NJCCIC recommends Facebook users review the Trend Micro report and exercise increased caution when using social media platforms and avoid clicking on links in unexpected messages until their legitimacy has been verified by the message sender. Additionally, we recommend users and administrators install browser extensions directly from official browser stores, run updated antivirus software, proactively block outbound connections to the domains coinhive[.]com and coin-hive[.]com, and monitor network activity for anomalies that indicate cryptocurrency-mining activity.