- A new cryptocurrency-mining bot spreads across many countries including the Philippines
- It works on Desktop Messenger or web browser particularly Chrome
- The script can be updated by the developers to add more functionality and may bring more harm
A new cryptocurrency-mining bot has spread in the Philippines, Thailand, Venezuela, Vietnam, Azerbaijan, Ukraine, South Korea and may possibly reach other countries soon; Financial Express posted on December 25.
According to Tokyo-headquartered cybersecurity major Trend Micro, “Digmine” (which means Monero miner) was first observed in South Korea and rapidly spread across the world via Facebook Messenger. It works only on Desktop Messenger or web browser, particularly Chrome.
“Digmine” has been coded as AutoIt, and the malware is being sent to would-be victims appearing like a video file. When the script’s executed and the user’s Facebook account is set to automatic login, it will manipulate the account to send a link to the file to the account’s friends.
The script is limited to propagation as of posting, but it can be updated by the developers because its functionality’s code is pushed from the command-and-control (C&C) server.
The extension wants to infect as many machines as possible as it translates to an increased hashrate and potentially more cybercriminal income. As a known modus operandi regarding cryptocurrency-mining botnets, it will try to stay within the victim’s system as long as possible.
The malware also installs a registry autostart mechanism as well as system infection marker.
“Digmine” will search and launch Chrome then load a malicious browser extension that it retrieves from the C&C server.
The extensions hosted on the Chrome Web Store follows strong guidelines, thus “Digmine” follows another path via launching via the command line. If the browser’s already active, it’ll terminate and relaunch with the extension loaded.
If infected, remove the extension via going to the browser’s extension menu in the settings and delete all unknown extensions installed.
Watch this video from RenZwaga to learn how to delete an extension: