A new cryptocurrency-mining bot known as “Digmine”, was first observed in South Korea. The has been spreading rapidly through Facebook Messenger across the world.
Since South Korea, it has since spread in Vietnam, Azerbaijan, Ukraine, the Philippines, Thailand, and Venezuela. There are strong predictions that it could reach other countries very soon considering the way it propagates.
As we know by now, Facebook Messenger works across different platforms. Digmine, however, only affects the Messenger’s desktop or Web browser (Chrome) version. So if the file is opened on other platforms, the malware will not work as intended, Trend Micro stated.
How does it work?
Digmine has been coded in AutoIt and sent to possible victims posing as a video file but is actually an AutoIt executable script. If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends.
The abuse of Facebook is quite limited to propagation at the moment, however it wouldn’t be implausible for attackers to hijack the Facebook account itself in the future. This functionality’s code is pushed from the command-and-control (C&C) server, which means it can be modified accordingly.
Digmine (which mines Monero) will try to stay in the victim’s system for as long as possible as it wants to infect as many machines as possible. With this being done it will translate to an increased hash rate and potentially more cybercriminal income.
Oother routines that will be performed by this malware include installing a registry autostart mechanism as well as system infection marker. It will search and launch Chrome, then load a malicious browser extension that it retrieves from the C&C server.
If Chrome is already running, the malware will then terminate and reload Chrome to ensure the extension is loaded. While extensions can only be loaded and hosted from the Chrome Web Store, the attackers bypassed this by launching Chrome via command line.