Digmine: The Cryptocurrency Mining Bot Which Hijacked Facebook’s Messenger

January 11, 2018

facebook-messenger-hack-digmineA new type of malware utilizes the computer power of unsuspecting PC users to mine Monero digital coins for its perpetrators. Dubbed Digmine by TrendMicro's researchers, the mining bot only infects desktop machines running Facebook Messenger in Google Chrome. The core of the malware – an executable script coded in AutoIt – shows up on the victim's Messenger chat window in the form of a masked video file. What is more, it also sends a download link of the payload to every Facebook contact found in the victim's account.

Only Used For Propagation Purposes … For Now

So far, Digmine has exploited Facebook's Messenger to spread the infection rather than take possession of the victim's entire Facebook account. Given that Digmine connects to a remote command-and-control (C&C) center, as well as its ability to infiltrate Messenger, hijacking the Facebook account altogether is only a matter of time and will on behalf of the malware actors. However, that may not necessarily happen since it does not relate to the two primary purposes of the mining bot, namely:

  • to remain hidden in the infected PC system so that it can utilize its CPU and GPU power to mine coins, and
  • spread over a maximum number of other desktop systems.

Digmine's first goal requires that it remain hidden in the victim's computer long enough without raising suspicion, while the second can quickly come to fruition via a social communications tool such as Facebook's Messenger. As long as these two conditions are available, a cryptocurrency miner like Digmine needs no further functionalities.

Modus Operandi and System Infiltration

As mentioned above, Digmine lands on Messenger as an archived video. When unzipped, this file is appended an executable extension (.exe) next to its video format one as shown in the picture below:


If executed, this 'video' file will connect to its C&C center to download the Digmine payload and install a malicious Google Chrome extension after running the browser using Windows' command-line interpreter. The extension is configured to connect to Facebook Messenger, as well as launch a fake video-streaming platform upon execution. The mining tool, which is hosted on codec(dot)exe, is, in fact, the XMRig Monero miner. The more infected machines, the higher the amount of mined cryptocurrency.

The advent of cryptocurrencies such as Bitcoin and the likes, as well as their steady appreciation, is bound to attract the attention of malware actors across the globe. In this respect, Digmine is neither the first nor the last of its kind.

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 2 + 6 ?