A form of malware which uses fake Facebook Messenger messages to spread has suddenly surged back into life and has developed new tricks to steal passwords, steal cryptocurrency and engage in cryptojacking.
First uncovered in August last year[1], the malware used phishing messages over Facebook Messenger to direct victims to fake versions of websites like YouTube, at which point they are encouraged to download a malicious Chrome extension.
The malware has remained under the radar since then, at least until April when it appears to have suddenly spiked in activity, targeting Facebook users around the world.
Analysis by researchers at security company Trend Micro[2] - which has dub the malware FacexWorm - said that while the malware is still spread via Facebook and exploits Google Chrome, many of its capabilities have been completely reworked.
New abilities include the capability to steal account credentials from selected websites, including Google as well as cryptocurrency websites. It also pushes cryptocurrency scams of its own and mines infected systems for additional currency.
But in order to conduct any of this activity, the malware needs to be installed on the system of a victim. Victims received a link out of the blue from a Facebook contact which directs to a fake YouTube page.
See also: See also: What is malware? Everything you need to know about viruses, trojans and malicious software[3]
This page asks the victim to install a codec extension to play the video, if run this will install FacexWorm, which asks for permissions to access the site and change data.
This enables contact with the command and control server to access Facebook and sending more fake YouTube links to contacts in order to continue to the