A new malware campaign has been discovered on Facebook that not only steals account information but also installs scripts for covert cryptocurrency mining.
Cybersecurity firm Radware said in a blog post on Thursday that Nigelthorn was campaigning for a new Facebook social network
The malware is so named because it misuses a legitimate Google Chrome extension called "Nigelify" that exposes images Nigelthorn Replaces Thornberrys
Nigelthorn was discovered in May of this year and has infected more than 1
According to Radware researchers, the Nigelthorn campaign spreads through social engineering and private messages through the social network aims to get users to download malware for account hijacking, cryptojacking and click fraud
Potential Victims Sees a message from a connection on their network that marks them in a post or receives private messages that alternatively contain a malicious link or image.
When a victim clicks through, the malicious link directs victims to a spoofed YouTube page and asks users to install a Google Chrome extension to play video content.
To circumvent Google's validation checks, the responsible threat actor makes copies of legitimate extensions and injects short, veiled, malicious scripts into them.
When a user accepts the Add Extension request, a malicious extension is installed and the victim's system is added to a botnet.
These malicious extensions also redirect the victim to Facebook to generate a session token and hijack their online session to feed their Facebook credentials and send them to command-and-control servers (C & C).
This access allows the malware to send and distribute messages in their stead.
Nigelthorn can also steal Instagram cookies if found.
This tool forces the victim's machine to secretly search for cryptocurrencies that send the proceeds to mining pools controlled by the attacker.
Radware says Monero, Bytecoin and Electroneum have been mine targets in the last few days and attackers about $ 1,000
Nigelthorn has used a number of techniques to preserve persistence on the victim's machine. When a victim attempts to open the Extensions tab, the malware automatically closes it. The malware also prevents users from downloading Facebook and Chrome cleaner tools, deleting Facebook posts, and making comments.
While malicious copies of Nigelify are responsible for the majority of infections, researchers have also discovered other legitimate extensions that have been abused. PwnerLike and iHabno
Four other extensions were discovered by Google's security systems and removed in less than 24 hours.
The majority of infections took place in the Philippines, Venezuela and Ecuador.
SynAck Ransomware bypasses antivirus software through dual-pass technology
"The malware depends on Chrome and runs on both Windows and Linux," the researchers say. "It's important to emphasize that the campaign is focused on Chrome browsers, and Radware believes that users who do not use Chrome are not at risk."
A Google spokesman told Threatpost that "the malicious extensions in the Chrome Web Store and in the browser affect the small percentage of affected users within hours of notification."
Previous and Related Cover