Luring users on social media to visit lookalike version of popular websites that pop-up a legitimate-looking Chrome extension installation window is one of the most common modus operandi of cyber-criminals to spread malware.
Security researchers are again warning users of a new malware campaign that has been active since at least March this year and has already infected more than 100,000 users worldwide.
Dubbed Nigelthorn, the malware is rapidly spreading through socially engineered links on Facebook and infecting victims’ systems with malicious browser extensions that steal their social media credentials, install cryptocurrency miners, and engage them in click fraud.
The malware was pushed through at least seven different Chrome browser extensions—all were hosted on Google’s official Chrome Web Store.
These malicious Chrome browser extensions were first discovered by researchers at cyber-security firm, after a “well-protected network” of one of its customers, was compromised.
According to a report published by the cyber-security firm, the malware operators are using copies of legitimate Google Chrome extensions and injecting a short obfuscated malicious script into them to bypass Google’s extension validation checks.
Researchers named the malware “Nigelthorn” after one of the malicious extensions which was the copy of popular ‘Nigelify’ extension designed to replace all pictures on a web page with gifs of ‘Nigel Thornberry.’
Nigelthorn Propagates Through Links Sent Over Facebook
Nigelthorn is spreading through socially engineered links on Facebook, which if clicked redirects victims to fake YouTube page, asking them to download a malicious Chrome extension, to continue playing the video.
NigelThorn Steals Password for Facebook/Instagram Accounts
The new malware majorly focuses on stealing credentials for victims’ Facebook and Instagram accounts and collecting details from their Facebook accounts.
This stolen information is then used to send malicious links to friends of the infected person in an effort to push the same malicious extensions further. If any of those friends click on the link, the whole infection process starts over again.
NigelThorn also downloads a publicly available, browser-based cryptocurrency mining tool as a plugin to trigger the infected systems to start mining cryptocurrencies, including Monero, Bytecoin or Electroneum.
Over the period of just 6 days, the attackers appeared to generate approximately $1,000 in cryptocurrencies, mostly Monero.
Nigelthorn is also persistent as to prevent users from removing the malicious extensions, it automatically closes the malicious extension tab each time the user opens it prevents removal.
The malware also blacklists a variety of clean-up tools offered by Facebook and Google and even prevents users from making edits, deleting posts and making comments.
- Divinity 2 Original Sin: Wiki Skill Popup
Although Google has removed all of the above-listed extensions, if you have installed any of them, you are advised to immediately uninstall it and change passwords for your Facebook, Instagram and as well as for other accounts where you are using the same credentials.
Since Facebook Spam campaigns are quite common, users are advised to be vigilant when clicking on links and files provided via the social media site platform.