Malicious Chrome extension using new techniques to target cryptocurrency platforms

Malicious Chrome extension using new techniques to target cryptocurrency platforms
© Getty Images

A cybersecurity firm is warning that a malicious Chrome extension is using a series of new techniques to target cryptocurrency platforms.

FacexWorm, which was first uncovered in August 2017, is accessing these digital wallets by spreading through affected web browsers as well as through shared socially engineered links on Facebook Messenger, Trend Micro wrote in a blog post on Monday. 


"The links redirect to a fake YouTube page that will ask unwitting users to agree and install a codec extension (FacexWorm) in order to play the video on the page. It will then request privilege to access and change data on the opened website," according to Trend Micro's analysis.

Its capabilities, however, have changed. The malware now is able to steal key data from certain websites of interest, including data like account information and credentials.

"It also redirects would-be victims to cryptocurrency scams, injects malicious mining codes on the webpage, redirects to the attacker’s referral link for cryptocurrency-related referral programs, and hijacks transactions in trading platforms and web wallets by replacing the recipient address with the attacker’s," Trend Micro found.

Despite its savvy methods of entry, the FacexWorm's impact appears to be relatively minor.

The firm found that only "a very small percentage of users were affected by these malicious extensions," and that Chrome had removed many of these malicious extensions by the time the firm alerted them to the matter.

"While we’ve so far only found one Bitcoin transaction compromised by FacexWorm when we checked the attacker’s address/wallet, we don’t know how much has been earned from the malicious web mining," the firm said.

Last year the malware had surfaced in countries including Germany, Taiwan and Tunisia.