A Chrome extension that was spotted back in August ’17 is making rounds again. Dubbed FacexWorm, it is an old worm which has new tricks up its sleeves. Victims of this malware, make one crucial mistake. They acknowledge and open a blatantly malicious file!
How Does It Enter Your System?
When users open a random spam message from a mutual friend via Facebook Messenger, they get a video link in the message. This link takes them to a proxy YouTube site, which sends out a pop up message to load a codec extension to run the video. It then requests access to change data on the opened website for faster streaming of the video.
Once the script is loaded on to the PC, the FacexWorm quietly begins to download additional malicious codes on its command-and-control (C&C) server. It then opens Facebook’s website and further sends out messages to all the other friends and followers on your list. It is the way it spreads into your system and uses it to spread further into the network.
Also Read: How to Share Live Location on Facebook Messenger
How Does It Affect Your System?
When accessed through browsers other than Google Chrome desktop version, the malicious link diverts to a random advertisement. This way it avoids detection and every time a new webpage is opened, it seeks query of the C&C server to find and retrieve another JavaScript code. These codes are hosted on a Github repository and then repeats that same process on to that webpage.
If in case one has a cryptocurrency wallet saved on their PC, or access a cryptocurrency transaction page online, FaceXWorm locates the address that has been entered and replaces it with another that has been specified by the hacker behind the worm.
FacexWorm has the potential to perform this switch on a number of trading platforms such as Binance, Poloniex, Bitfinex and HitBTC amongst others.
The crypto that it has targeted for the same are, Bitcoin (BTC) Dash (DASH), Ethereum Classic (ETC), Monero (XMR) and many others.
What Are The Potential Damages It Can Undertake?
The FacexWorm malware, loads on to your system via a social media portal. It is due to this, it has many ways of affecting its victim and their Digital Identity.
1) It can compromise the victims account credentials on various platforms such as Google, Coinhive and other social media pages. Once it manages to gain access of the victim’s logins, it sends all this data back to its main server and continues to keep track of the same.
2) It even has the potential to mine cryptocurrency from the victim’s PC. An overly complicated Coinhive script runs undetected on the victim’s PC. This script is connected to a CoinHive pool where using the victim’s PC’s power it mines cryptos for its hacker’s wallet. The amount of PC usage is restricted at 20% but, that in itself an added 20% of power bill the victim is paying for.
3) The FacexWorm has the potential to unwillingly engage the victim in a cryptocurrency scam. With the help of account details at the malware’s disposal, it uses keywords such as Blockchain, Bitcoin, Ethereum, Ripple etc. and directs it to another pre- prepared scam page. The scam page has fake claims of supposed winners who send 0.5 to 10 ether (ETH) to the attacker’s wallet address and received up to 5 to 100 ETH in return. Note: This is one of the most common form of cryptocurrency scam in the market. 4) When a victim accesses a website, chances are high that Facexworm shall display a proxy website of the same name. These proxy sites are specified by the attacker as referral links of the original website. By doing this, the attacker gets referral incentives. Few of the sites that have been targeted in the same manner are DigitalOcean, Binance, HashFlare and FreeBitco.in etc.
In Conclusion: Beware!
While there haven’t been many reports about its current victims, FacexWorm has the potential of being one of the most damaging of malware. It has the potential to compromise one digital identity and even lay to ruin one’s cryptocurrency wallets in the long run. We advise the readers to beware before clicking on any such messages they may receive on Facebook Messenger irrespective of the sender name.