Alert: Newly Discovered Malware Targets Facebook Users’ Passwords & Money

Kirsters Baish| Facebook users are being targeted by a new malware attack which is going after their passwords and money through the Facebook Messenger application. The virus has been named FacexWorm. It is a newly modified version of a virus that was identified in the past, as reported by Fox News. The virus utilizes the Facebook Messenger app in order to send links to users. These links direct users to a fake YouTube page. This page then tries to install a fake Chrome browser extension. Passwords and personal data of these users are at risk. Cryptocurrencies on the user’s computer are at risk as well. The virus is able to take over the user’s account and send infected YouTube links to the users’s contacts, spreading the virus even further.

The intent of the malware has to do with cryptocurrency and targeting exchanges of these currencies. The virus is intended to take over transactions and install itself on machines without the owner knowing. Trend Micro’s director of Global Threat Communications, Jon Clay, spoke about the malware. He explained, “Cryptocurrency mining as a threat has been growing rapidly, and the threat actors have been looking at ways to increase their victim size so they can increase the number of devices performing the mining function.”

Clay went on to say, “The more systems, the faster the mining operation, and hence the faster money can be made. This is one of many ways cybercriminals are looking to support their efforts.” He explained that his company has witnessed a “massive increase” in these kinds of cryptocurrency mining attacks within the last few years.

Trend Micro released a full report on the virus, describing the viruses actions:

  • Steal the user’s account credentials for Google, MyMonero, and Coinhive — Once FacexWorm detects that the target website’s login page is open, it will inject a function that will send the credentials to its C&C server after the form is filled and the login button is clicked.
  • Push a cryptocurrency scam — When FacexWorm detects that the user is accessing any of the 52 cryptocurrency trading platforms it targets, or if the user is keying in keywords such as “blockchain,” “eth-,” or “ethereum” in the URL, it will redirect the victim to a scam webpage. The scam entices users to send 0.5 – 10 ether (ETH) to the attacker’s wallet address for verification purposes and promises to send back 5 – 100 ETH. Users can mitigate this by simply closing the page and reopening it to restore normal access to the original website. This is because the malicious extension reserves a timestamp in the cookie that prevents redirection to the scam page within an hour. However, redirection will resume if FacexWorm’s webpages of interest are accessed again. We have so far not found anyone who has sent ETH to the attacker’s address.
  • Conduct malicious web cryptocurrency mining — FacexWorm also injects a JavaScript miner to webpages opened by the victim. The miner is an obfuscated Coinhive script connected to a Coinhive pool. Based on the script’s settings, the miner is configured to utilize 20 percent of the affected system’s CPU power for each thread and opens four threads to mining on webpages.
  • Hijack cryptocurrency-related transactions — Once the victim opens the transaction page on a cryptocurrency-related website, FacexWorm locates the address keyed in by the victim and replaces it with another specified by the attacker. FacexWorm performs this on the trading platforms Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and the wallet Cryptocurrencies targeted include Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR). When we checked the attacker-assigned addresses (until April 19), we found that only one Bitcoin transaction (valued at $2.49) had been hijacked.
  • Earn from cryptocurrency-related referral programs — If the victim accesses a targeted website, FacexWorm redirects the page to the attacker-specified referral link for the same website. The attacker receives a referral incentive for every victim that registers an account. Targeted websites include Binance, DigitalOcean,,, and HashFlare.