Nigelthorn

Nigelthorn Description

Nigelthorn is a malware campaign. The Nigelthorn malware campaign has managed to infect more than one hundred thousand computer devices across more than one hundred countries. The Nigelthorn campaign was mainly delivered via corrupted URLs distributed via Facebook. These URLs lead to fake YouTube pages that are designed to display a pop-up window attempting to convince victims to install a Chrome extension. This Google Chrome extension is named 'Nigelify' and shows up in the Google Chrome Web Store as an application designed to remove specific images of a pop-culture character. Computer users that fall for this tactic install the Google Chrome extension thinking that it will allow them to view the fake YouTube video. However, the main purpose of the application is to load scripts onto the infected Web browser and carry out the Nigelthorn attack.

How the Nigelthorn Attack Works

The Nigelthorn attack loads scripts on the infected Web browser that can allow the attackers to collect victims' Facebook login information. The Nigelthorn campaign also attempts to use a crypto-jacking tactic on the infected Web browser, allowing the criminals to use the victim's computer's resources to mine for digital currency. The Nigelthorn campaign also has been observed to collect data from the infected computer. Using the Nigelthorn campaign, criminals can carry out attacks that clone the victim's computer and hijack their social media accounts, also allowing them to continue to spread the Nigelthorn campaign to other computer users.

The Nigelthorn Malware Campaign

Malware researchers have observed that the main distribution method of the Nigelthorn tactic is via direct messages through the Facebook Messenger application. Apart from this, the Nigelthorn campaign also will be distributed through public posts that tag or mention up to 50 different people from the victim's Friends or Contacts lists. These posts and messages contain what looks like shared YouTube links that propagate the tactic. The Nigelthorn campaign also will use a crypto jacker that takes the form of a corrupted JavaScript that uses the infected computer's resources to mine digital currency. This miner is downloaded from Web pages controlled by the criminals carrying out the Nigelthorn campaign, which may be legitimate websites that have been hijacked. The miner used in the Nigelthorn campaign is based on CryptoNight, a mining program that can carry out mining operations on any computer device available on the market currently.

Further Details of the Nigelthorn Campaign

Malware associated with the Nigelthorn campaign can evade detection and removal in various ways. For example, Nigelthorn can interfere with the victim's Web browser to close the Extensions hub or prevent the victim from connecting to websites associated with computer security tools and software. The Nigelthorn campaign also can prevent the victim from posting about the infection on social media. Various other symptoms may be associated with Nigelthorn, depending on how criminals monetize their malware infection. The Nigelthorn campaign may cause a Web browser to visit unwanted websites and view unwanted online content, often spamming the victim and the victim's contacts with several shady advertising materials.

Protecting Your Device from the Nigelthorn Malware Campaign

The Nigelthorn campaign is not limited to a single operating system. This is because the main people vulnerable to the Nigelthorn campaign are the Google Chrome users, which is a Web browser with a presence across various platforms. There have been observed devices infected with malware associated with Nigelthorn on several operating systems, ranging from Microsoft Windows to Linux and Android. Because of Nigelthorn's distribution, it is very important that computer users learn to recognize legitimate and fraudulent Web browser applications and avoid clicking on spam links and other suspicious online content.