Digmine Cryptocurrency Miner Spreads via Facebook Messenger

Researchers at Trend Micro identified a new cryptocurrency-mining bot, dubbed Digmine, spreading through Facebook Messenger installed on Windows systems. The malware is distributed via messages containing a file named video_xxxx.zip – of which each “x” is a number – that hides an executable file. If the user runs the file, they are infected with Digmine which then contacts its command and control (C2) server. The C2 server sends the victim a Monero cryptocurrency miner and a malicious Chrome extension used to propagate to new victims. If the targeted user’s account is set to automatically sign in, the Digmine Chrome extension will access the user’s Facebook Messenger profile and send a message containing a similar video_xxxx.zipfile to all of the user’s contacts. Digmine was first discovered targeting South Korean users and has since spread to other regions around the world. Facebook was notified of this campaign and has since removed the malicious links from Messenger conversations; however, the threat actors can easily change their distribution links. These types of campaigns are likely to continue as the price and popularity of cryptocurrency rises. The NJCCIC recommends social media users review the Trend Micro report, educate themselves on this and similar tactics, enable account privacy settings, use strong passwords, enable multi-factor authentication where available, and monitor system CPU usage for spikes in activity that may indicate the presence of a cryptocurrency miner.