NigelThorn malware mines for cryptocurrency and steals Facebook credentials

News by Rene Millman

Malware spreads across social network. Malware that installs scripts to mine cryptocurrency and steal Facebook credentials has been discovered on the social network, according to security researchers.

Malware that installs scripts to mine cryptocurrency and steal Facebook credentials has been discovered on the social network, according to security researchers.

in a blog post, Adi Raff and Yuval Shapira, researchers from Radware, said that the Nigelthorn malware abuses a legitimate Google Chrome extension called "Nigelify," which substitutes images displayed on a web page with pictures of Nigel Thornberry, a cartoon character from the television show The Wild Thornberrys.

The researchers first spotted the malware earlier this month. So far, it has already infected more than 100,000 users in over 100 countries. It has been propagating through the social network using a mix of social engineering and private messages.

The malware redirects victims to a fake YouTube page and asks the user to install a Chrome extension to play the video. Once the user clicks on “Add Extension,” the malicious extension is installed, and the machine is now part of the botnet.

The malware focuses on Chrome and can infect both Windows and Linux users. Radware said that non-Chrome users are not affected.

TO bypass validation check by Google, the campaign operators created copies of legitimate extensions and inject a short, obfuscated malicious script to start the malware operation. Researchers said that they have observed seven of these malicious extensions, of which it appears four have been identified and blocked by Google's security algorithms. Nigelify and PwnerLike remain active.

A victim that clicks on “Add Extension” is redirected to a Bitly URL from which they will be redirected to Facebook.

“This is done to trick users and retrieve access to their Facebook account. Over 75 percent of the infections cover the Philippines, Venezuela and Ecuador. The remaining 25 percent are distributed over 97 other countries,” said researchers.

The extension executes a malicious JavaScript that downloads the initial configuration from a C&C server. The malware steals Facebook login credentials and Instagram cookies and redirects a user to a Facebook API to generate an access token that will also be sent to the C2 if successful.

This allows the malware to collect relevant account information for the purpose of spreading the malicious link to the user's network.

Another plugin that is downloaded by the malware is a cryptomining tool. Researchers said that JavaScript code is downloaded from external sites that the group controls and contains the mining pool.

The malware also attempts to persist on the machine and makes sure its activities on Facebook are persistent. If the user tries to open the extensions tab to remove the extension, the malware closes it and prevents removal. It also blocks users from downloading Facebook and Chrome cleaner tools, deleting Facebook posts, and making comments.

“As this malware spreads, the group will continue to try to identify new ways to utilise the stolen assets. Such groups continuously create new malware and mutations to bypass security controls,” said researchers.

Bogdan Botezatu, senior e-threat analyst at Bitdefender, told SC Media UK that since this type of scam usually propagates via compromised links on social media, organisations could resort to limiting or controlling access to the respective websites. 

“If this is undesirable or impossible, employers should regularly educate users regarding threats they might encounter on social networks and train them how to spot such attempts to install browser extensions. This is not a new technique, as rogue browser extensions have been placed via similar attacks for years.” He said.

Sam Haria, global SOC manager of Invinsec, told SC Media UK that his recommendation is to firstly not to click on links sent via Facebook, especially ones telling users that they need to install an additional competent. 

“Secondly, be wary of people sending you video links, especially if the sender has not done this before. Lastly, organisations need to inform users not to download the following extensions: a total of seven malicious copied versions of legitimate Chrome extensions, including Nigelify, PwnerLike, Alt-j, Fix-case, Divinity 2 Original Sin: Wiki Skill Popup, keeprivate, and iHabno,” he said.

Haria added that the best way for organisations to prevent these rogue extensions from being installed is by having group policy preventing the installation of extensions.
“Phishing awareness training shows rapid improvement in the identification of phishing emails, especially combined with escalating training for those who fail. Providing a button on the email client to report suspected phishing/malware allows the user to be part of the defence structure,” he said.
“Organisational culture change can have dramatic effect. Moving away from shaming individuals who fall foul of phishing to a model that encourages disclosure has been shown to strengthen the entire team and organisation.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews