ktsdesign - Fotolia
Trend Micro Inc. researchers discovered a new cryptojacking bot called Digimine lurking on Facebook Messenger. How does Digimine work, and how does it use Facebook to reach more victims?
The propagation of malware is one of the more difficult aspects of a successful malware campaign, as it is one way that malware can be detected on the network and provides clues for defenders to identify, investigate and take down malware command-and-control (C&C) servers.
Attackers have already used Instagram, as well as other social media to set up their C&C while using compromised websites for malware distribution. Malicious actors like to use social media for malware C&C and propagation because enterprises do not always block traffic to and from social media sites.
With the widespread use of encrypted connections, it is difficult to analyze data to identify malicious behavior without having control of the endpoint where unencrypted data can be accessed. However, Trend Micro researchers recently discovered Digimine, a new cryptojacking bot that uses Facebook Messenger to spread.
Digimine mines Monero coins using standard cryptojacking steps along with a malicious Chrome extension. The initial malicious link, sent via Facebook Messenger, appears to be a video file, but it is actually an AutoIt executable script.
When the user clicks on the link, believing it will open a video, they are actually running the malicious script, which then takes over their computer if they are using Facebook Messenger for Google Chrome. If the infected user's Facebook account on the compromised system is set to log in automatically, Digmine uses Facebook Messenger to send a malware link to the user's friends. Digmine only logs into Facebook accounts and doesn't compromise the account or post the malware to Facebook.
Although Facebook removed links to the Digimine malware after being notified by Trend Micro and has since added built-in checks to identify malware, it seems that there are other ways to transfer AutoIt executable scripts. Those scripts must be blocked by sites or endpoint security tools to prevent them from being used in an attack.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Social media security risks
Related Q&A from Nick Lewis
A flaw was found in the Android installer for Fortnite and was patched within 24 hours. Learn how such a quick turnaround affects mobile app security... Continue Reading
Credential stuffing attacks can put companies that offer online membership programs, as well as their customers, at risk. Find out how to proactively... Continue Reading
A Mozilla vulnerability duplicated in the Browser Reaper set of DoS proofs of concept caused Chrome, Firefox and Safari to crash. Learn why and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.