A malware called FacexWorm, which spreads through fake Facebook messages, resurfaced last month. The malware has also evolved, now with the ability to steal passwords and cryptocurrency and apply cryptojacking methods.
Originally discovered August of last year, FacexWorm sends out phishing messages over Facebook Messenger.
Victims are then brought to bogus versions of legitimate websites like YouTube where they are asked to download a malicious Chrome extension.
FacexWorm had been dormant since late last year, only to come back to life in April when security experts noticed a sudden surge of activity among Facebook users.
Researchers from Trend Micro, the team who dubbed it FacexWorm, said that while the malware still spreads through Facebook and targets Google Chrome, many of its features have been retooled.
One of the newer features of the malware is the ability to steal login credentials from specific websites like Google or cryptocurrency ones. FacexWorm also has its own lineup of cryptocurrency scams and mines compromised systems for more currency.
However, FacexWorm won’t be able to do any of this without being installed on a computer first. This happens when a victim receives a fake message from a Facebook contact that directs them to a fraudulent YouTube page.
The page urges the user to install an extension to play the video which would inject FacexWorm and ask site access and change data.
Instances of FacexWorm infections have increased since the malware was updated
The worm could then gain access to command and control server of Facebook and spread more fake Youtube links to the victim’s contact list to proliferate the spread of malware.
On top of this, FacexWorm also searches for keywords like “etherium” or “blockchain” in the URLs of websites visited.
If these are detected, the malware then redirects users to another fake webpage asking for cryptocurrency in exchange for “wallet address verification” with the promise it would be returned right after their account is confirmed.
Fortunately, there haven’t been reports of users losing cryptocurrency this way. This is only one of a couple of ways FacexWorm can steal cryptocurrency from infected systems.
The malware’s miner is also said to be only using 20% of the CPU, making sure it can’t easily be detected.
It also has another way of hiding itself: immediately closing Chrome’s extension management tab whenever it is opened.
Trend Micro researchers have observed that the malicious extensions have been resurfacing on the Chrome Web Store as quickly as Google removes them.
Facebook has maintained several automated systems that aim to stop harmful links and files from spreading on Facebook and Messenger. And if they notice a device gets infected via Facebook, they can provide free antivirus apps from their trusted partners.
To further protect one’s self online, Trend Micro urged users to think before sharing, to be more prudent against unsolicited or suspicious messages, and to enable maximum privacy settings on social media profiles.
Comprehensive multi-device protection for you and your family for up to 6 PCs, Macs, Android, and iOS devices. For more info click here.