Digimine Bot Uses Facebook Messenger to Install Monero Miner
Trend Micro released a report on December 21, 2017, describing a new type of malware which spreads through Facebook Messenger, infects the Google Chrome browser, and installs and autoruns a Monero miner on victims’ Windows OS computers. The malware effectively capitalizes on the centralization of closed source social networking, web browsing, and operating systems amongst mainstream desktop users.
Mining crypto is traditionally done on one’s own computer. Miners invest in equipment to set up mining rigs to generate income for themselves. But what if you could simply install mining software on a whole lot of other people’s computers without them knowing it? You could increase hash power and use their machines (and their electricity) to secure block rewards that are credited to your own crypto account. Clever? Yes. Ethical? Not really. It’s like owning slaves, making others work for you without compensation.
In the Pirate Bay example, if visitors had been made aware of what was happening and given the option to opt-out, you could argue that stealth mining is an acceptable form of income generation and an inventive alternative to advertising (which suffers from its own ethical trespasses). A quote from the Malwarebytes website sums it up well:
“We do not claim that CoinHive is malicious, or even necessarily a bad idea. The concept of allowing folks to opt-in for an alternative to advertising, which has been plagued by everything from fake news to malvertising, is a noble one. The execution of it is another story.”
Digimine bot, also known as 비트코인 채굴기 bot, was coded in the AutoIt programming language, a freeware automation language for Microsoft Windows. It poses as a video file but is actually an AutoIt executable script. In order to work, it requires a couple of pre-existing conditions. First, the victim must be using the Windows operating system, and second, the victim must be using Facebook Messenger within the Google Chrome web browser (and they must be logged in to their Facebook account).
Digimine spreads to other victims by accessing users’ Facebook Messenger accounts through the Chrome browser and sending a link disguised as a video file with the filename “video_xxxx.zip” to that account’s Facebook friends via Messenger.
If the link is clicked on, the malware gets downloaded to the victim’s computer, and the Windows registry is altered to autorun the malware. Then the malware installs the Chrome extension via command line which runs the Monero miner and also propagates itself by sending a new link in a message to all of the new victim’s Facebook friends. And so on, and so on.
According to Trend Micro, Digimine was first observed in South Korea but has quickly spread to Vietnam, Azerbaijan, Ukraine, Philippines, Thailand, and Venezuela. Although the malware is very smart, the delivery system is still dependent on human error and carelessness.
Anyone who is slightly tech savvy will notice that there is something strange about the message, especially when they see that the video file packed in the .zip has an extension which reads “.mp4.exe,” which indicates that it is not, in fact, a video, but actually an executable. However, people don’t always have time to look closely at their messages and sometimes click links without examining them first.
This human negligence along with the widespread popularity of Windows, Chrome, and Facebook and their respective security weaknesses have allowed for the success of copious amounts of malware, viruses, and ransomware. To date, the only defense against mass exploitation is to increase awareness and decentralize online social communications with the offering of a wide variety of different social platforms, browsers, and operating systems.