ktsdesign - Fotolia
Trend Micro Inc. researchers discovered a new cryptojacking bot called Digimine lurking on Facebook Messenger. How does Digimine work, and how does it use Facebook to reach more victims?
The propagation of malware is one of the more difficult aspects of a successful malware campaign, as it is one way that malware can be detected on the network and provides clues for defenders to identify, investigate and take down malware command-and-control (C&C) servers.
Attackers have already used Instagram, as well as other social media to set up their C&C while using compromised websites for malware distribution. Malicious actors like to use social media for malware C&C and propagation because enterprises do not always block traffic to and from social media sites.
With the widespread use of encrypted connections, it is difficult to analyze data to identify malicious behavior without having control of the endpoint where unencrypted data can be accessed. However, Trend Micro researchers recently discovered Digimine, a new cryptojacking bot that uses Facebook Messenger to spread.
Digimine mines Monero coins using standard cryptojacking steps along with a malicious Chrome extension. The initial malicious link, sent via Facebook Messenger, appears to be a video file, but it is actually an AutoIt executable script.
When the user clicks on the link, believing it will open a video, they are actually running the malicious script, which then takes over their computer if they are using Facebook Messenger for Google Chrome. If the infected user's Facebook account on the compromised system is set to log in automatically, Digmine uses Facebook Messenger to send a malware link to the user's friends. Digmine only logs into Facebook accounts and doesn't compromise the account or post the malware to Facebook.
Although Facebook removed links to the Digimine malware after being notified by Trend Micro and has since added built-in checks to identify malware, it seems that there are other ways to transfer AutoIt executable scripts. Those scripts must be blocked by sites or endpoint security tools to prevent them from being used in an attack.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Application and platform security
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading