Facexworm Virus

A new virus, dubbed Facexworm, is spreading through Facebook Messenger, stealing user account credentials and hijacking their device for cryptocurrency mining.

If you received a video link from your friend, think twice before opening it, you could have compromise your private infomation and device just by clicking on the link.

Around December last year, a similar virus was discovered by Trend Micro Researchers, named Digimine, that spreads itself via Facebook Messenger, infecting Windows PC as well as Chrome Browser to mining cryptocurrency in the background.

This new virus was originally emerged in August last year, but has since repacked with multiple new abilities including stealing user credentials from targeted websites ( for instance cryptocurrency trading platform. ), redirecting the user to cryptocurrency referral programs, hijacking user’s device to mine cryptocurrency in the background, hijack user’s wallet address and redirecting user to crypto scam webpage.

facexworm-1-Infection-Chain

FacexWorms works just like Digimine, by spreading malicious links over Facebook Messenger via infected accounts to the friends of the account.  Upon clicking the link, victims are redirected to a fake Youtube Site which will request the victims to install a chrome extension in order to play the video.

Just like Digmine, FacexWorm also works by sending socially engineered links over Facebook Messenger to the friends of an affected Facebook account to redirect victims to fake versions of popular video streaming websites, like, YouTube.

Managed Endpoint Protection

Once the victims installed the extension, Facexworm will then download additional codes from its command and control server and launch Facebook. Facexworm will subsequently request an OAuth access token from FB when it detects that the site is opened. This allows the virus to send multiple queries to Facebook to retrieve the friend list of the infected accounts and then propagate the malicious fake Youtube links to the friends of the account. The link will direct the user to some random advertisement if the link is accessed in other browsers than the desktop version of Chrome.

Since the extension request for extended permission during installation, the extension will have the ability to read and modify all data on any websites that the victim visits.

Kindly share this information with your friends and family to safeguard them from falling victim to such malicious attack and to further prevent the propagation of the malicious virus today.