Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Do you use Facebook Messenger? Do you use Chrome on your desktop? Do you also use Bitcoin and have a wallet? Would you install something that says that it’s a codec in order to watch a video? Then I hope you didn’t get hit by FacexWorm.
FacexWorm was originally discovered in August 2017 By prompting a target on Facebook to click a link that directs to a malicious website, they’d get exposed to cryptocurrency scams. Then malicious cryptomining codes are injected into a webpage and they’d be redirected to the cyber attacker’s cryptocurrency referral program. FacexWorm would continue to hijack cryptocurrency web wallets and trading platforms, replacing the target’s address with the cyber attacker’s. So not only would the target’s CPU and memory get bogged up by mining cryptocurrency for someone else, but any cryptocurrency funds that the target may have would get stolen and transferred to the attacker. It sounds like a very profitable sort of criminal activity.
When FacexWorm, a malicious Chrome extension, was initially discovered, Google did everything they could to get rid of it, including removing it from the Chrome Web Store.
Well, FacexWorm came back with a vengeance. It engages in the same malicious activities, but perhaps with some modifications in its code in order to evade detection.
FacexWorm’s April 2018 Revival
On April 8th, malware researchers discovered a reappearance of FacexWorm. The researchers observed significant FacexWorm activity that day, mainly in Taiwan, South Korea, Spain, Japan, Germany, and Tunisia. If a target follows a malicious link found on Facebook, the target’s Facebook friends will also receive the cyber attacker’s message, and a process is started which eventually results in the target’s cryptocurrency wallet getting hijacked, and possibly money is stolen which is sent to the attacker.
How FacexWorm Works
When a target is attacked, it all starts with a message sent by Facebook Messenger. The link in the message directs to a YouTube video. That sounds innocent enough, because Rickrolling is harmless. But instead of being greeted by the captivating 80s blue-eyed soul of Rick Astley, the user is prompted to install a codec in order to watch a different video. All YouTube videos through the web are delivered by HTML5 with the h.264 video codec and WebM these days, so almost all web browsers from the past few years should be able to play any YouTube video without having to install anything extra. Anyway, once the target is prompted to install the fake codec Trojan, they’ll be asked to give the malware permission to change data in the webpage.
Once installed, FacexWorm will start communicating with the cyber attacker’s command and control servers. More malicious code is sent by the command and control servers to the target, and they get redirected to Facebook once again. FacexWorm will try to acquire the target’s Facebook OAuth access token. If that’s successful, the target’s Facebook friends will also receive the same malicious Facebook Messenger message if they are in online or idle status and are using desktop Chrome. If they’re using a different web browser, they’ll get some sort of advertisement instead as they won’t be able to install the FacexWorm Chrome extension.
FacexWorm proceeds to inject malicious JavaScript code that’s acquired from the cyber attacker’s command and control servers, and more malicious code will be injected into as many of the target’s webpages as possible.
These malicious web browser extensions that communicate with command and control servers usually engage in a plethora of harmful activities. Here’s what FacexWorm does.
Some of the JavaScript that the Trojan tries to inject into webpages is a cryptominer based on a Coinhive script but with modifications. 20% of the CPU’s power is used for cryptomining on each thread and the malware will attempt to run four threads. That’s a total of 80% of the CPU’s power for cryptomining! There should be an obvious significant decrease in PC performance, even if the target has an excellent multicore CPU with lots of cache and RAM.
The malware looks for Coinhive, MyMonero, and Google credentials. The first two are cryptocurrency wallet related and may result in stolen money, whereas unauthorized Google account access can further ruin a user’s life by tampering with their Gmail and a wide assortment of other Google services. Any such credentials found are sent to the command and control servers.
If the user opens a tab in Chrome to one of FacexWorm’s 52 targeted cryptocurrency trading platforms, or if the user inputs keywords such as “ethereum” or “blockchain,” the user will be directed to a webpage for a cryptocurrency scam. They’ll be asked to send 0.5 to 10 ether in order to receive 5 to 100 ether in return. Of course, there’s no such thing as free money that way. If it sounds too good to be true, it probably is.
If the user opens a cryptocurrency transaction webpage, FacexWorm tries to acquire their cryptocurrency address, and replace it with the cyber attacker’s address. That way, the user will inadvertently send money to the attacker. The targeted cryptocurrencies include Bitcoin, Bitcoin Gold, Bitcoin Cash, Litecoin, Ripple, Ethereum, Ethereum Classic, Dash, Zcash, and Monero. So the most popular cryptocurrencies are affected.
If the user tries to visit DigitalOcean, Binance, FreeDoge.co.in, FreeBitco.in, or HashFlare, Facexworm will redirect them to the attacker’s referral link for the website. The attacker receives money for every successful referral.
The Aftermath So Far
Security researchers have only found one hijacked Bitcoin transaction so far, for about $2.49 USD. That’s gotta be a very tiny fraction of a Bitcoin, but maybe there are a lot of hijacked transactions which they haven’t found yet.
The researchers have notified Facebook and Google about the reappearance of FacexWorm. The newer version of FacexWorm has been removed from the Chrome Web Store, and Facebook has banned some domains that are associated with FacexWorm’s malicious activity.
I think FacexWorm is a great example of how new web malware can relaunch several months later after initially being stopped by antivirus vendors, and developers and online services like Facebook and Google. These sorts of cyber attacks keep big tech companies on their toes. But as FacexWorm is a Trojan, more should be done to educate users about avoiding social engineering.
Tags: antivirus,Trojan
Reading Time: 4 minutes Increased dependency on computers and access to data makes an organization more vulnerable to cybersecurity threats. With the increase in cyber-criminals and cyber-attacks, many companies today are looking for greater protection of their decentralized computing work environments from their Managed Service Providers (MSPs). As a result, MSPs need to deliver firewall solutions that are designed…
Reading Time: 3 minutes Disruptions are often unforeseen. This could be a catastrophic event like a hurricane, a fire, or an earthquake. Disruptions, however, can also come in other forms such as that of a pandemic. This means that a building doesn’t necessarily have to be demolished or lives have to be lost for an unforeseen event to completely…
Reading Time: 4 minutes Today, organizations are constantly at risk from cyber-attacks. This is a major issue not only because of the traditional business risks, but because in today’s increasingly globalized world, effective intrusion by a cybercriminal might, among other things, bring the operations of a company to a standstill. Therefore, while businesses need to match the security system…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
agreecheck
See how your organization scores against cybersecurity threats
Advanced Endpoint Protection, Endpoint Detection and Response Built On Zero Trust Architecture available on our SaaS EPP