A newly discovered malware family capable of credential theft, cryptomining, click fraud, and other nefarious actions has already infected over 100,000 computers, Radware reveals.
Dubbed Nigelthorn because it abuses a Google Chrome extension called Nigelify, the malware is propagating via socially-engineered links on Facebook. The group behind the campaign has been active since at least March 2018 and has already managed to infect users in 100 countries.
Victims are redirected to a fake YouTube page that asks them to install a Chrome extension to play the video. Once they accept the installation, the malicious extension is added to their browser, and the machine is enrolled in the botnet.
Impacting both Windows and Linux machines, the malware depends on Chrome, which suggests that those who do not use this browser are not at risk, the security researchers point out.
The actor behind the campaign uses the Bitly URL shortening service when redirecting victims to Facebook to trick users into revealing their login credentials. Based on statistics from Bitly and the Chrome web store, Radware determined that 75% of the infections occurred in the Philippines, Venezuela and Ecuador, with the remaining 25% distributed over 97 other countries.
In order to bypass Google’s validation checks, the malware developers created copies of legitimate extensions and injected a short, obfuscated malicious script into them, to start the malware operation.
“To date, Radware’s research group has observed seven of these malicious extensions, of which it appears four have been identified and blocked by Google’s security algorithms. Nigelify and PwnerLike remain active,” the security researchers note.
When the extension is installed, a malicious JavaScript is executed to download the initial malware configuration from the command and control (C&C) server, after which a set of requests is deployed.
The Nigelthorn malware itself is focused on stealing Facebook login credentials and Instagram cookies. It also redirects users to a Facebook API to generate an access token that is then sent to the C&C.
The stolen credentials are used for propagation, to spread the malicious link to the user’s network either via messages in Facebook Messenger, or via a new post that includes tags for up to 50 contacts. Should any of the victim’s contacts click on the link, the infection process is repeated.
The ma
lware also downloads a cryptomining tool to the victim’s machine. A publicly available browser-mining tool is used for this, downloaded from external sites that the group controls. Over the past several days, the actor was observed attempting to mine Monero, Bytecoin and Electroneum, all of which require CPU power to mine.
Persistence is achieved through closing the extensions tab if the user attempts to access it, and through downloading URI Regex from the C&C and blocking users from accessing Facebook and Chrome cleanup tools or from making edits, deleting posts, and posting comments.
A YouTube plugin is downloaded and executed, after which the malware attempts to access the URI “/php3/youtube.php” on the C&C to receive commands to watch, like, or comment on a video, or to subscribe to the page. These actions are likely an attempt to receive payments from YouTube.
“As this malware spreads, the group will continue to try to identify new ways to utilize the stolen assets. Such groups continuously create new malware and mutations to bypass security controls. Radware recommends individuals and organizations update their current password and only download applications from trusted sources,” the researchers conclude.
