Cybersecurity firm Radware have uncovered a new malware campaign on Facebook that has stolen account credentials and installed scripts on victim computers in order to mine for cryptocurrency. Named Nigelthorn, the malware campaign has been active since March 2018, and has infected more than 100,000 users globally. It abuses a legitimate Google Chrome extension Nigelify, which replaces web images with pictures of Nigel Thornberry, the character from cartoon television show The Wild Thornberrys, thus the name Nigelthorn.
The malware campaign aims to trick users into downloading malware that would hijack accounts, and mine for cryptocurrency.
How users get infected?
Links to the infection are spread via Facebook messages and posts, and when users click on them, they are taken to a bogus YouTube website. A pop-up window then appears asking to add a Google Chrome extension in order to play the video. If the user clicks on “Add extension”, the malware installs onto the computer. Radware notes that the campaign seems to focus on Chrome browsers, so users using other browsers should not be at risk.
The infected user then starts unknowingly spreading the malware via Facebook Messenger or a new post with tags for up to 50 contacts. When someone presses on the link, the process begins again.
The malware has to bypass Google’s validation checks, and according to Radware, to do that the campaign operators created copies of legitimate extensions and injected a short, obfuscated malicious script to start the malware operation. The security firm has observed that there have been seven of these malicious extensions, four of which have been since blocked by Google.
Malware capabilities
The malware can steal Facebook login credentials and Instagram cookies.
“If login occurs on the machine (or an Instagram cookie is found), it will be sent to the C2. The user is then redirected to a Facebook API to generate an access token that will also be sent to the C2 if successful. Authenticated users’ Facebook access tokens are generated and the propagation phase begins. The malware collects relevant account information for the purpose of spreading the malicious link to the user’s network.” Radware explains.
The security firm also notes that a cryptomining tool is also downloaded, and the attackers had tried to mine three different coins, Monero, Bytecoin and Electroneum.
“The attackers are using a publicly available browser-mining tool to get the infected machines to start mining cryptocurrencies. The JavaScript code is downloaded from external sites that the group controls and contains the mining pool.”
The researchers from the security firm note that around $1000 was mined in six days.
Protecting yourself against such malware
Facebook being used to spread some kind of malware is nothing new. However, a lot of users still remain unaware that clicking on a strange link sent by a contact could possibly lead to a malware infection. While Facebook is generally quick to remove malicious links from messages and posts, it is still not fast enough to prevent infection 100%.
Nevertheless, there is one thing users can do to not infect their computers and have their social media accounts take over, and that is to not click on strange links, even if they are sent by a friend. Another golden rule is to not install unknown extensions. There have been enough similar malware campaigns for users to understand that they should not install random extensions just because a pop-up request appears.