Facexworm
Facexworm is a cryptocurrency collector that runs on JavaScript. Facexworm can be used to collect data from the victims' cryptocurrency wallet, as well as take over the online accounts for cryptocurrency trading hubs such as Coinbase, Coinmama, Kraken, Cex.io, LocalBitcoins, etc. Facexworm is being distributed through a campaign that involves compromised Facebook accounts currently. The people responsible for the Facexworm distribution are using unsafe Web browser extensions for Google Chrome and bogus pages on YouTube as a way of gaining access to the victim's computers. Once Facexworm is installed on the victim's computer, these people will use Facexworm to take the victim's cryptocurrency and then infect additional computer users by sending them messages on Facebook.
Table of Contents
How Facexworm Carries out Its Attack
Facexworm takes advantage of the victims' lack of experience with video streaming and YouTube. Facebook accounts, both fake accounts, and compromised legitimate accounts were used to deliver Facexworm to the victims via direct messages. These spam messages contain a link to a YouTube page. Clicking on these links leads to a phishing domain, which supposedly delivers a viral video of some sort. When the victim connects to the fake YouTube page, a bogus error message appears claiming that it is necessary to install a Google Chrome Web browser extension to load the video. Computer users that click on the link that is using a Web browser that is not Google Chrome are instead directed to a random advertisement, allowing the people responsible for the Facexworm attack still generating some revenue in the form of advertising. The main attack, however, will occur when victims install this bogus Google Chrome extension.
A Short Explanation of the Facexworm Infection
Once the victim installs the Web browser extension, this extension connects to its Command and Control servers and downloads and installs the files associated with Facexworm. Facexworm will send requests to Facebook to obtain the victim's list of friends and send the corrupted Facexworm link to the victim's Facebook contacts immediately. Facexworm functions as a JavaScript that is injected into the victim's Web browser. Whenever the victims run their Web browser, Facexworm will load in the background and will mine Bitcoin and another cryptocurrency, as well as attempt to collect the victim's cryptocurrency login data. Since miners like Facexworm use up a considerable amount of the system resources, the victims of the Facexworm attack will notice right away that their CPUs are overloaded and their Web browser and computers become slow, unresponsive and unstable.
Tracking the Response to the Facexworm Campaign
Google received news of the Facexworm campaign in May 2018, and since then has been removing all Web browser extensions associated with Facexworm from the Google App store gradually. However, the criminals also upload new versions of this threat constantly, which is being distributed widely through Facebook currently. It is, therefore compulsory to make sure that you are taking precautions against this and other threats, even if you use a different Web browser regularly.
Protecting Your Machine Against Facexworm
The best protection against threats like Facexworm is to have a strong security application that is always updated. Having a reliable anti-malware program that is protecting your computer actively will prevent threats like Facexworm from carrying out their attacks or being installed in the first place. Facexworm and similar threats are being delivered through Facebook spam messages. Learning to recognize these tactics and avoiding these links is essential in preventing these attacks. If you click on these links accidentally, any prompts to install Web browser extensions or components should be ignored immediately, and a security app should be used to ensure that no unwanted components managed to make it onto your computer.
