ktsdesign - Fotolia
Trend Micro Inc. researchers discovered a new cryptojacking bot called Digimine lurking on Facebook Messenger. How does Digimine work, and how does it use Facebook to reach more victims?
The propagation of malware is one of the more difficult aspects of a successful malware campaign, as it is one way that malware can be detected on the network and provides clues for defenders to identify, investigate and take down malware command-and-control (C&C) servers.
Attackers have already used Instagram, as well as other social media to set up their C&C while using compromised websites for malware distribution. Malicious actors like to use social media for malware C&C and propagation because enterprises do not always block traffic to and from social media sites.
With the widespread use of encrypted connections, it is difficult to analyze data to identify malicious behavior without having control of the endpoint where unencrypted data can be accessed. However, Trend Micro researchers recently discovered Digimine, a new cryptojacking bot that uses Facebook Messenger to spread.
Digimine mines Monero coins using standard cryptojacking steps along with a malicious Chrome extension. The initial malicious link, sent via Facebook Messenger, appears to be a video file, but it is actually an AutoIt executable script.
When the user clicks on the link, believing it will open a video, they are actually running the malicious script, which then takes over their computer if they are using Facebook Messenger for Google Chrome. If the infected user's Facebook account on the compromised system is set to log in automatically, Digmine uses Facebook Messenger to send a malware link to the user's friends. Digmine only logs into Facebook accounts and doesn't compromise the account or post the malware to Facebook.
Although Facebook removed links to the Digimine malware after being notified by Trend Micro and has since added built-in checks to identify malware, it seems that there are other ways to transfer AutoIt executable scripts. Those scripts must be blocked by sites or endpoint security tools to prevent them from being used in an attack.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Social media security risks
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.