Digmine spread via Facebook Messenger

Trend Micro is currently warning Digmine as a special kind of Christmas greeting. The victims allegedly received a video that was intended to hide in a four-digit archive. In fact, this is an executable file that should install a Chrome extension and then redistribute to all Facebook contacts. The infected PCs are abused to mine the cryptocurrency Monero.

Already in the previous month, we described in detail the means by which cybercriminals try to use the computing power of third-party computers for their own benefit. Not only smartphones are being used with contaminated Android apps for mining . Using a JavaScripts or other malicious software, notebooks and desktop PCs are used without permission to mine Monero. The currently spread all over the world malicious software called Digmine was spread via Facebook Messenger. According to the security researchers from Trend MicroThe infection started in South Korea, Vietnam, Azerbaijan, Ukraine, the Philippines, Thailand and Venezuela. In the meantime, however, computers from all over the world have been affected by the new wave of infection. The further dissemination only worked if the Chrome users remained permanently on Facebook. As a rule, new extensions of this browser are installed exclusively via the official Chrome Web Store. In this case, a previously unknown vulnerability in Chrome was exploited.

The victims received a private message from their Facebook contacts as a file called video_xxxx.zip, where xxxx stands for any four-digit number. Instead of the Christmas greeting in the form of a video, which are currently widely distributed, it hides behind a malicious software for all computers that are operated with the Windows operating system. So far, Trend Micro has not been able to find any variation for Linux distributions or Mac OS X. The functionality of the new malicious software was described for the first time by the South Korean security researcher Constant .

On all smartphones the execution of the file has no consequences. "Digmine" works only in the desktop area and only if the Facebook Messenger has been opened with the Google Chrome browser. After the infection, the program is added to the Windows startup mechanism so that the Monero Miner automatically runs in the background after each Windows startup. For the moment, a further spread is not possible because Facebook has adapted their messenger for security reasons.

Safety first: better ignore offered files from friends
Between the years countless Christmas messages are sent in the form of videos via WhatsApp or Facebook. Since the senders are our contacts, their messages appear trustworthy and lead the recipients to start executables from third parties themselves. This trust has been exploited by cybercriminals at Digmine. It does not have to be a contaminated PDF file or a prepared .exe. For example, malware can also hide in Matroska container format with the extension .mkv, .mka, .mks, or .mk3d, which in contrast to Digmine actually plays a video. Of course, this does not change the infection in the background.