A Monero Mining Bot Is Spreading Through Facebook Messenger

If you’ve interacted with Facebook, you may have had run-ins with spam bots that infest your profile (or your friends’ profiles) and post links or advertisements without your permission. Well, the same malware that tells your friends to “Check out this link for 90% off a BRAND NEW pair of Ray-Bans. WOW!” is now being used to mine cryptocurrency. A downloaded client runs mining software that contributes hashing power to the malware’s source server. Unaware Facebook users may have downloaded this bot through links shared on Facebook Messenger.

Mining on Someone Else’s Dime

You could be mining cryptocurrency without even knowing it, all because of a mining bot spread through Facebook Messenger.

Lenart Bermejo and Hsia-Yu Shih originally covered the revelation in a Trend Micro report. The malware, called Digimine, originated in South Korea, propagates itself through Facebook’s messaging app, and is used to mine Monero. The bot is confined to Messenger’s desktop client and its Chrome browser extension. If you open the malware on another platform, such as Facebook Messenger’s mobile app, your device will not be infected. The report indicated that the bot’s only surrogate is Messenger right now, but it warned that “it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line.”

Like other malware, Digimine can only be downloaded by activating its source link. Masquerading as a video file, Digimine is coded into AutoIT, a freeware scripting language designed for Windows. If you open the faux video file, your computer will begin running the AutoIT executable script, and if you have auto login enabled, the bot will automatically send the malware to your Facebook friends via Messenger.

Once it begins running the software, an infected computer connects to the malware’s command-and-control server. This server allocates all of the computing power of infected devices for the purpose of mining Monero, a popular privacy coin. The more computers that become infected, the higher the hashrate for the central mining operations, meaning that Digimine’s orchestrators can expect a fatter payday.

So far, Trend Micro has traced this malware to Vietnam, Azerbaijan, Ukraine, the Philippines, Thailand, and Venezuela, adding the caveat: “It’s not far-off for Digimine to reach other countries given the way it propagates.”

In response to the development, Facebook issued the following statement:

We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners.

In the report, Trend Micro revealed that the malicious links may include the following terms: vijus[.]bid, ozivu[.]bid, thisdayfunnyday[.]space, thisaworkstation[.]space, mybigthink[.]space, mokuz[.]bid, pabus[.]bid, yezav[.]bid, bigih[.]bid, taraz[.]bid, megu[.]info. The report also lists a number of indicators that may help determine whether or not a device has been infected. For example, if you were to download the malware while using Facebook’s Chrome extension, the malware would terminate and then relaunch Chrome to load Digimine.

If you think your computer has been infected, you can visit facebook.com/help for tips and information on how to move forward.