Chrome Extentsion Reading Time: 4 minutes

Do you use Facebook Messenger? Do you use Chrome on your desktop? Do you also use Bitcoin and have a wallet? Would you install something that says that it’s a codec in order to watch a video? Then I hope you didn’t get hit by FacexWorm.

FacexWorm was originally discovered in August 2017 By prompting a target on Facebook to click a link that directs to a malicious website, they’d get exposed to cryptocurrency scams. Then malicious cryptomining codes are injected into a webpage and they’d be redirected to the cyber attacker’s cryptocurrency referral program. FacexWorm would continue to hijack cryptocurrency web wallets and trading platforms, replacing the target’s address with the cyber attacker’s. So not only would the target’s CPU and memory get bogged up by mining cryptocurrency for someone else, but any cryptocurrency funds that the target may have would get stolen and transferred to the attacker. It sounds like a very profitable sort of criminal activity.

When FacexWorm, a malicious Chrome extension, was initially discovered, Google did everything they could to get rid of it, including removing it from the Chrome Web Store.

Well, FacexWorm came back with a vengeance. It engages in the same malicious activities, but perhaps with some modifications in its code in order to evade detection.

FacexWorm’s April 2018 Revival

On April 8th, malware researchers discovered a reappearance of FacexWorm. The researchers observed significant FacexWorm activity that day, mainly in Taiwan, South Korea, Spain, Japan, Germany, and Tunisia. If a target follows a malicious link found on Facebook, the target’s Facebook friends will also receive the cyber attacker’s message, and a process is started which eventually results in the target’s cryptocurrency wallet getting hijacked, and possibly money is stolen which is sent to the attacker.

How FacexWorm Works

When a target is attacked, it all starts with a message sent by Facebook Messenger. The link in the message directs to a YouTube video. That sounds innocent enough, because Rickrolling is harmless. But instead of being greeted by the captivating 80s blue-eyed soul of Rick Astley, the user is prompted to install a codec in order to watch a different video. All YouTube videos through the web are delivered by HTML5 with the h.264 video codec and WebM these days, so almost all web browsers from the past few years should be able to play any YouTube video without having to install anything extra. Anyway, once the target is prompted to install the fake codec Trojan, they’ll be asked to give the malware permission to change data in the webpage.

Once installed, FacexWorm will start communicating with the cyber attacker’s command and control servers. More malicious code is sent by the command and control servers to the target, and they get redirected to Facebook once again. FacexWorm will try to acquire the target’s Facebook OAuth access token. If that’s successful, the target’s Facebook friends will also receive the same malicious Facebook Messenger message if they are in online or idle status and are using desktop Chrome. If they’re using a different web browser, they’ll get some sort of advertisement instead as they won’t be able to install the FacexWorm Chrome extension.

FacexWorm proceeds to inject malicious JavaScript code that’s acquired from the cyber attacker’s command and control servers, and more malicious code will be injected into as many of the target’s webpages as possible.

These malicious web browser extensions that communicate with command and control servers usually engage in a plethora of harmful activities. Here’s what FacexWorm does.

Some of the JavaScript that the Trojan tries to inject into webpages is a cryptominer based on a Coinhive script but with modifications. 20% of the CPU’s power is used for cryptomining on each thread and the malware will attempt to run four threads. That’s a total of 80% of the CPU’s power for cryptomining! There should be an obvious significant decrease in PC performance, even if the target has an excellent multicore CPU with lots of cache and RAM.

The malware looks for Coinhive, MyMonero, and Google credentials. The first two are cryptocurrency wallet related and may result in stolen money, whereas unauthorized Google account access can further ruin a user’s life by tampering with their Gmail and a wide assortment of other Google services. Any such credentials found are sent to the command and control servers.

If the user opens a tab in Chrome to one of FacexWorm’s 52 targeted cryptocurrency trading platforms, or if the user inputs keywords such as “ethereum” or “blockchain,” the user will be directed to a webpage for a cryptocurrency scam. They’ll be asked to send 0.5 to 10 ether in order to receive 5 to 100 ether in return. Of course, there’s no such thing as free money that way. If it sounds too good to be true, it probably is.

If the user opens a cryptocurrency transaction webpage, FacexWorm tries to acquire their cryptocurrency address, and replace it with the cyber attacker’s address. That way, the user will inadvertently send money to the attacker. The targeted cryptocurrencies include Bitcoin, Bitcoin Gold, Bitcoin Cash, Litecoin, Ripple, Ethereum, Ethereum Classic, Dash, Zcash, and Monero. So the most popular cryptocurrencies are affected.

If the user tries to visit DigitalOcean, Binance,,, or HashFlare, Facexworm will redirect them to the attacker’s referral link for the website. The attacker receives money for every successful referral.

The Aftermath So Far

Security researchers have only found one hijacked Bitcoin transaction so far, for about $2.49 USD. That’s gotta be a very tiny fraction of a Bitcoin, but maybe there are a lot of hijacked transactions which they haven’t found yet.

The researchers have notified Facebook and Google about the reappearance of FacexWorm. The newer version of FacexWorm has been removed from the Chrome Web Store, and Facebook has banned some domains that are associated with FacexWorm’s malicious activity.

I think FacexWorm is a great example of how new web malware can relaunch several months later after initially being stopped by antivirus vendors, and developers and online services like Facebook and Google. These sorts of cyber attacks keep big tech companies on their toes. But as FacexWorm is a Trojan, more should be done to educate users about avoiding social engineering.