Monero Mining Botnet

Monero Mining Botnet Infests Facebook Messenger as Mining Craze Continues

As previously covered by Core Media, The Pirate Bay’s Monero mining botnet experiment, in which the torrent index started using JavaScript code to mine Monero using visitor’s CPUs, saw a Monero mining craze begin, using that same code. Its latest infected victim was oil pipeline giant Transneft.

According to cybersecurity firm TrendMicro, the Monero mining craze has now reached Facebook users. Security experts report a cryptocurrency mining bot is spreading via Facebook Messenger, in the Google Chrome browser for desktop. Dubbed Digmine, it was first seen in South Korea but already spread to various countries including Venezuela, Ukraine, and Vietnam. Given how fast its spreading, it’ll likely show up in other regions soon.

Digmine essentially masquerades as a link to a non-embedded video file that, in reality, is an executable script. Once the file is clicked on, the script downloads components from a server so it can install a Chrome extension to mine Monero. Then either streams a bogus video or manipulates the person’s account to send its link to their Facebook friends – if their account is set to log in automatically.

The researchers wrote:

“A known modus operandi of cryptocurrency-mining botnets, and particularly for Digmine (which mines Monero), is to stay in the victim’s system for as long as possible. It also wants to infect as many machines as possible, as this translates to an increased hashrate and potentially more cybercriminal income.”

Interestingly, Digmine only works on Chrome, and on desktops. If the victim clicks on the link using another browser or a mobile device, it won’t work as intended.  Digmine bypasses the Chrome web store, which extensions have to go through, using a command-line interface.

Once active on a victim’s computer, it uses its resources to mine the privacy-centric cryptocurrency. This, then, makes the PC feel sluggish and forces its fans to spin at an unusually loud level. The effects are similar to those caused by JavaScript-based miners, such as Coinhive and Cryptoloot.

Staying safe

After finding Digmine, Trend Micro quickly contacted Facebook, which removed most links associated with it. The social network released a statement:

“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help.”

To avoid infection on social networks, enable your account’s privacy settings, avoid unsolicited messages, and avoid suspicious links. The malware’s authors can upgrade it to hijack Facebook accounts down the line, experts note.

The Monero mining craze has gotten so big, bad actors already hijacked the CBS-owned Showtime websites to mine using visitor’s CPUs. Moreover, it forced Cloudflare to crack down on websites that didn’t ask for user permission.