Skip to main content

Cryptocurrency mining bot spreading via Facebook Messenger in Chrome for desktop

Facebook Messenger
Security firm Trend Micro reports that a cryptocurrency mining bot is now spreading through Facebook Messenger in Google’s Chrome browser for desktop. Called Digmine, it was first spotted in South Korea, and has since spread into Azerbaijan, the Philippines, Thailand, Ukraine, Venezuela, and Vietnam. The bot will likely show up in other regions soon given how fast it’s spreading.

The report doesn’t say how Digmine began spreading through Facebook Messenger, but it appears in the chat client as a non-embedded video file. When the recipient clicks on the file, the so-called video — which is actually an executable script — downloads components from a remote server to install a Chrome extension. This extension will either continue to stream a bogus video from a “decoy” website, or log onto Facebook to spread the malicious love to friends.

Typically, Chrome extensions can only be installed through the Chrome Web Store. But the Digmine setup bypasses this requirement by installing the extension through a command-line interface. During the installation process, the script will receive its configuration through the remote server, and instructions to either load the site hosting the bogus video — which contains additional configurations — or access Facebook if users have Chrome set to automatically log onto the social network.

“A known modus operandi of cryptocurrency-mining botnets, and particularly for Digmine (which mines Monero), is to stay in the victim’s system for as long as possible,” Trend Micro states. “It also wants to infect as many machines as possible, as this translates to an increased hashrate and potentially more cybercriminal income.”

While running, Digmine will silently mine for digital currency in the background as infected users surf the internet. The mining component, listed as codec.exe on the PC, is a modified version of an open-source Monero miner called XMRig. It remains in contact with a remote server as it silently generates the Monero coins.

But Digmine could be used for more than just mining Monero. Based on its design, hackers could eventually upgrade Digmine to completely hijack Facebook accounts. Since it is basically controlled by a remote “command” server, hackers could simply update the code to seize Facebook accounts accessed by infected PCs. Trend Micro provided its findings to Facebook, which immediately removed a large portion of the fake video links.

One sign of infection stems from the installation process. If you clicked on a Messenger video within Chrome, the browser will restart as the extension installs and loads. Moreover, browser-based cryptocurrency mining consumes large amounts of processing power, so your PC may feel sluggish, with your fans spinning at an unusually loud level.

In both cases, navigate to Chrome’s Customize and control button, and select More tools > Extensions in the drop-down menu. On the resulting page, trash every enabled extension that looks suspicious. Of course, the best way to avoid infection of any kind is to not click on files and links sent through Facebook Messenger. But given that friends you trust toss links back and forth every day, avoiding malware in that manner can be difficult.

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Facebook’s new Coronavirus Community Hub on Messenger provides tips, resources
facebook messenger coronavirus community hub

Facebook launched the Coronavirus Community Hub on Messenger, which aims to provide people with tips and resources regarding the new coronavirus, officially known as COVID-19, while preventing the propagation of misinformation.

In a blog post announcing the new community hub, VP of Messenger Stan Chudnovsky revealed that the messaging service has seen increased usage as people keep in touch with their loved ones. Chudnovsky said that 70% more people are participating in group video calls, and the time that people spend in group video calls has doubled.

Read more
Facebook teaches us all how web privacy works with Messenger Kids
facebook messenger kids privacy education how your info is used 1

Facebook -- the network that paid a $5 billion fine over privacy violations last summer -- wants to help teach kids about the lack of privacy on the internet. In a slew of new features to Messenger Kids, Facebook is launching a tool that uses simple, kid-friendly language to detail how user information is used. While Facebook is hardly a role model on user data, the rundown on data use is, frankly, something some adults could use, too.

Facebook says the in-app tool aims to inform kids on what types of information others can see about them -- which is more restricted in Messenger Kids than any other Facebook-owned app. The in-app tool reminds kids that names and photos are visible to other people, parents can see messages, messages can’t be deleted, and Facebook saves user information.

Read more
Another partner backs out of Facebook’s Libra cryptocurrency
Facebook Libra

Yet another company that signed on as a partner in Facebook’s proposed cryptocurrency known as Libra has backed out of the association. The British telecommunications operator Vodafone announced its departure from Facebook’s Libra Association on Tuesday, Coindesk reports. In total, eight companies have now backed out of the Libra partnership. 

"We can confirm that Vodafone is no longer a member of the Libra Association. Although the makeup of the Association members may change over time, the design of Libra's governance and technology ensures the Libra payment system will remain resilient," the Libra Association said in a statement. "The Association is continuing the work to achieve a safe, transparent, and consumer-friendly implementation of the Libra payment system.”

Read more