- Digmine only works on the desktop version of Google Chrome
- It is downloaded through a link to a video that is sent through Facebook Messenger
- Download a program that Monero mines in the background clandestinely
Along with the cryptocurrency fever, clandestine mining by hackers has been on the rise. The cybersecurity firm Trend Micro has warned of a new type of malware that is used to mine Monero. Baptized as Digmine, it operates as a link to a video file that is sent via Facebook Messenger, but is actually a self-executing script that hijacks the web and desktop version of the instant messaging service of the most used social network in the world. through the Google Chrome browser.
Digmine downloads a malicious extension in Chrome to send the video link via Facebook Messenger
The Digmine malware is designed to bypass the controls of the Chrome Web Store, since its operation is based on the connection to a command and control server (C & C) , which allows it to download different components. One of them is the malicious extension in the Chrome browser that starts next to the Messenger application, which leads the victim to a fake website that shows the video that is part of the deception. If the person has their Facebook account configured to log in automatically, Digmine manipulates Messenger to send a message to all the contacts of the account holder with a text that suggests opening the decoy video file.
It also downloads a program that mines Monero in the background for hackers
Through another C & C server, it also downloads an edited version of Monero’s open-source miner from this XMRig cryptocurrency, which is dedicated to mining in the background for hackers. It is noticeable when a computer has been affected due to the anomalous consumption of computer resources. Digmine only works through the desktop version of Messenger in Google Chrome , because if it is opened from the app on a mobile phone, it does not work as it should.
“Digmine will also perform other routines, such as the installation of an automatic logon mechanism and a system infection marker, it will search and start Chrome and then load a malicious browser extension it retrieves from the C & C server. running, the malware will terminate and restart Chrome to ensure that the extension is loaded.Although extensions can only be loaded and hosted from the Chrome Web Store, attackers bypass this when they start Chrome (loaded with the malicious extension) through the command line, “Trend Micro said in a statement, adding:
The [Chrome] extension will read its own configuration from the C & C server. You can tell the extension to proceed with the Facebook login or open a fake page that will play a video. The decoy website that plays the video also serves as part of its C & C structure. This site is intended to be a video transmission site, but it also contains a large number of configurations for the malware components.The researchers suspect North Korea as a country of origin , but they do not yet have concrete evidence. According to Trend Micro, the countries affected so far are Azerbaijan, South Korea, Ukraine, Vietnam, the Philippines, Thailand and Venezuela. However, the cybersecurity firm believes that it will not be long in reaching other nations due to its rapid spread.
Trend Micro has also informed Facebook of its findings, so many of the malicious links in its messaging service have already been removed. The social network said in a statement: “We maintain several automated systems to prevent links and damaged files from appearing on Facebook and Messenger If we suspect that your computer is infected, we will provide you with a free antivirus from our trusted partners.”
The interest of hackers for Monero is due to the fact that cryptocurrency was born in 2014 as an even more private and anonymous alternative to Bitcoin. The difference with the chain of blocks of Bitcoin is that it allows you to review the history of a unit, but Monero records the history in its blockchain and does not allow the user to look at it. Therefore, it has become the favorite in the black markets of the Internet, such as the Deep Web.