• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Digmine Cryptocurrency Miner Spreading via Facebook Messenger

Digmine Cryptocurrency Miner Spreading via Facebook Messenger

  • Posted on:December 21, 2017 at 6:01 am
  • Posted in:Malware, Social
  • Author:
    Trend Micro
0

by Lenart Bermejo and Hsiao-Yu Shih

We found a new cryptocurrency-mining bot spreading through Facebook Messenger, which we first observed in South Korea. We named this Digmine based on the moniker (비트코인 채굴기 bot) it was referred to in a report of recent related incidents in South Korea. We’ve also seen Digmine spreading in other regions such as Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela. It’s not far-off for Digmine to reach other countries given the way it propagates.

Facebook Messenger works across different platforms, but Digmine only affects Facebook Messenger’s desktop/web browser (Chrome) version. If the file is opened on other platforms (e.g., mobile), the malware will not work as intended.

Digmine is coded in AutoIt, and sent to would-be victims posing as a video file but is actually an AutoIt executable script. If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends. The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line. This functionality’s code is pushed from the command-and-control (C&C) server, which means it can be updated.

A known modus operandi of cryptocurrency-mining botnets, and particularly for Digmine (which mines Monero), is to stay in the victim’s system for as long as possible. It also wants to infect as many machines as possible, as this translates to an increased hashrate and potentially more cybercriminal income.


Figure 1: Digmine’s attack chain


Figure 2: Link to Digmine sent via Facebook Messenger (top, cropped) and the file pretending to be a video (bottom); original image source: c0nstant (bottom right)

Infection Chain
Digmine is a downloader that will first connect to the C&C server to read its configuration and download multiple components. The initial configuration contains links where it downloads components, most of which are also hosted on the same C&C server. It saves the downloaded components in the %appdata%\<username> directory.



Figure 3: Configuration for the downloader (top); and the downloaded components (bottom)

Digmine will also perform other routines such as installing a registry autostart mechanism as well as system infection marker. It will search and launch Chrome then load a malicious browser extension that it retrieves from the C&C server. If Chrome is already running, the malware will terminate and relaunch Chrome to ensure the extension is loaded. While extensions can only be loaded and hosted from the Chrome Web Store, the attackers bypassed this by launching Chrome (loaded with the malicious extension) via command line.



Figure 4: Digmine downloader component in the autostart registry entry (top), and a marker indicating the malware has infected the system (bottom)


Figure 5: Currently running Chrome process terminated (top) and relaunching Chrome with parameter to load extension (bottom)

The extension will read its own configuration from the C&C server. It can instruct the extension to either proceed with logging in to Facebook or open a fake page that will play a video.

The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components.



Figure 6: Configuration link for the decoy video if a separate routine is set by the configuration from the C&C (top), and screenshot of a fake streaming site used to play video as decoy (bottom)

Figure 7: Initial configuration used by the browser extension

Propagation
The browser extension is responsible for propagation via interaction with Chrome, and by extension, Facebook Messenger. This routine is triggered by conditions available in the configuration file retrieved from the C&C server.

If the user has their Facebook account automatically logged in by default, the browser extension is able to interact with their account. It does so by downloading additional code from the C&C server. Digmine’s interaction with Facebook could get more functions in the future since it’s possible to add more code.


Figure 8: Part of additional codes retrieved from C&C server, which allows interaction with Facebook

Mining Component
The miner module will be downloaded by codec.exe, which is the miner management component. It will connect to another C&C server to retrieve the miner and its corresponding configuration file.

The mining component miner.exe is an iteration of an open-source Monero miner known as XMRig. The miner was reconfigured to execute using the config.json file instead of receiving parameters directly from the command line.



Figure 9: Miner configuration (top) and codec.exe code launching the miner component with config (bottom)

C&C Communication and Protocol
Both the downloader and mining management component use specific HTTP headers to communicate with the C&C server. When downloading the initial configuration, the malware constructs the HTTP GET request before sending to the C&C server:
GET /api/apple/config.php HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Miner
Window: <Window name of active window>
ScriptName: <filename of malware>
OS: <OS version>
Host: <C&C>

Of note is how the malware uses a specific User-Agent called Miner. It denies access to the initial configuration file if the HTTP header request is incorrect.

Best Practices
The increasing popularity of cryptocurrency mining is drawing attackers back to the mining botnet business. And like many cybercriminal schemes, numbers are crucial—bigger victim pools equate to potentially bigger profits.  The fact that they’re piggybacking on popular platforms such as social media to spread their malware is unsurprising. To avoid these types of threats, follow best practices on securing social media accounts: think before you share, be aware of suspicious and unsolicited messages, and enable your account’s privacy settings.

We disclosed our findings to Facebook, which promptly removed many of the Digmine-related links from its platform. In Facebook’s official statement, “We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help.”

Indicators of Compromise (IoCs):
Hash detected as TROJ_DIGMINEIN.A (SHA256);

  • beb7274d78c63aa44515fe6bbfd324f49ec2cc0b8650aeb2d6c8ab61a0ae9f1d

Hash detected as BREX_DIGMINEEX.A (SHA256):

  • 5a5b8551a82c57b683f9bd8ba49aefeab3d7c9d299a2d2cb446816cd15d3b3e9

Hash detected as TROJ_DIGMINE.A (SHA256):

  • f7e0398ae1f5a2f48055cf712b08972a1b6eb14579333bf038d37ed862c55909

C&C servers related to Digmine (including subdomains):

  • vijus[.]bid
  • ozivu[.]bid
  • thisdayfunnyday[.]space
  • thisaworkstation[.]space
  • mybigthink[.]space
  • mokuz[.]bid
  • pabus[.]bid
  • yezav[.]bid
  • bigih[.]bid
  • taraz[.]bid
  • megu[.]info

Related posts:

  • Cybercriminals Use Malicious Memes that Communicate with Malware
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: cryptocurrency minerDigmineFacebook

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack
  • Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK
  • Patched GIF Processing Vulnerability CVE-2019-11932 Still Afflicts Multiple Mobile Apps
  • Mac Backdoor Linked to Lazarus Targets Korean Users

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • 49 Disguised Adware Apps With Optimized Evasion Features Found on Google Play
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.