Beware: 'Digmine' Cryptocurrency Bot Is Spreading Via Facebook Messenger

Cybersecurity firm Trend Micro has discovered a cryptocurrency bot that is being spread through Facebook Messenger. The bot, dubbed Digmine, was discovered in South Korea and has since been found in Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela. TechSpot explains: Victims receive a file named "video_xxxx.zip" from one of their Facebook Messenger contacts. Opening it will load Chrome along with a malicious browser extension. Extensions can only be downloaded from the Chrome Web Store, but this is bypassed using the command line. Once the malware infects a system, a modified version of XMRig -- a Monero mining tool -- is installed. This mines the cryptocurrency in the background using a victim's CPU, sending all profits back to the hackers. Additionally, the Chrome extension is also used to spread Digmine. If someone has their Facebook account set to log in automatically, the fake video file link will be sent to all their friends via Messenger. The malware could also be used to take over a Facebook account entirely. The good news is that Digmine only works through the Chrome desktop version of Messenger. Right now, opening the malicious file via the Facebook/Messenger app or mobile webpage won't have the same effect. After Trend Micro revealed its findings, Facebook said it had taken down any links connected to Digmine.

Old school is best school

[nitehawk214]

Mobile means we get to relive all the same attacks we saw decades ago.

Re:Old school is best school

[Actually,+I+do+RTFA]

No, see, it's totally different. Chrome sandboxes extensions so this cannot possibly be an attack. Now I'm to run some more arbitrary JavaScript from the internet without being asked first or even told what's running</sacrasm>

Re: Easy to block using hosts files... apk

[arth1]

It also doesn't do diddly squat for blocking URLs like https://translate.google.com/t...
Nor domains where some content is good and some is evil. It's all or nothing.
Nor randomly generated hostnames like f359db86.evil.com where the attacker points *.evil.com to the same A/AAAA (with a simple 8 nibble address like this, you'd need 4,294,967,296 host names).
Nor if using a proxy server that doesn't have a host list, because the proxy server does the resolving.
Nor if using a resolver that doesn't have file as the first lookup mechanism. (Mine have "dns [!UNAVAIL=return] files")
Nor can it block apk spamming slashdot.

It's almost 2018. You have to be pretty delusional to think that host files blocking is useful today.

How could the victims know?

[CustomSolvers2]

The true intention was well disguised! Who wouldn't have opened a file called "video_xxx" sent by a random person? A different story would have been a name like "warning_this_is_a_virus_never_ever_click_here"; even in that case, around 25% of people might click on it anyway. There are lots of unlucky individuals out there who cannot do anything to avoid this almost-perfect technique to succeed. LOL.

Re:...and double click a Microsoft Windows .exe fi

[Bruinwar]

Victims receive a file named "video_xxxx.zip" from one of their Facebook Messenger contacts. Opening it will load Chrome along with a malicious browser extension.

How does opening a .zip run the contents? Does the user also have to run the i-know-you-want-to-double-click-me.exe file?

That's an easy one, you count on users trusting Windows. Since the start Windows has screwed users with extensions. Either hiding them or only showing the first encountered.

MyFile.zip.exe was very popular awhile back, it would show as a MyFile or Myfile.zip file, yet run as the hidden .exe file.

As for asking to run it, many have most likely tired of saying yes to the requester and disabled it.

The first thing I do when working on someone's computer is uncheck the box "Hide extensions of known file types".