A new self-propagating malware, dubbed Digmine, that secretly mines the popular cryptocurrency and alternative to Bitcoin, Monero, has been found infecting Facebook Messenger users across the globe. Although security experts first spotted the malware targeting users in South Korea, it has since spread to other countries as well.
The malware is disguised as a video file, usually named "video_xxxx.zip", and installs a Monero miner as well as a malicious Chrome extension, which helps Digmine spread to other victims. So far, the malware has infected victims in Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand and Venezuela. Security experts at Trend Micro, who discovered the malware, fear that given its current propagation, Digmine could also soon reach other countries.
Researchers say the Monero mining malware only affects Facebook Messenger's desktop Chrome application. The malicious Chrome extension that the malware installs onto victims' PCs allows it access to victims' Facebook accounts and can send private messages to all their contacts, thereby spreading itself.
"A known modus operandi of cryptocurrency-mining botnets, and particularly for Digmine (which mines Monero), is to stay in the victim's system for as long as possible. It also wants to infect as many machines as possible, as this translates to an increased hashrate and potentially more cybercriminal income," Trend Micro researchers said in a blog.
The researchers added that Facebook immediately removed all links to Digmine after the cybersecurity company alerted the tech giant about the malware.
"We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger," Facebook said in a statement. "If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners are on facebook.com/help."
However, Bleeping Computer reported that the hackers behind Digmine could tweak the malware's current distribution links and restart the campaign.