Digmine Cryptocurrency Miner Bot Spreading Via Facebook Messenger

| December 25 , 2017 , 16:33 IST

A new security intelligence report published by Tokyo based cybersecurity firm Trend Micro warns users of the spread of a new cryptocurrency-mining bot, named "Digmine" through facebook messenger.

This bot was first observed in South Korea but has now spread to Vietnam, Azerbaijan, Ukraine, Philippine, Thailand and Venezuela among others via facebook messanger.

However the bot only uses Facebook Messanger’s desktop web browser mode and not on other platforms the report says.

“Facebook Messenger works across different platforms, but Digmine only affects Facebook Messenger’s desktop/web browser (Chrome) version. If the file is opened on other platforms (e.g., mobile), the malware will not work as intended”, the report reads.

Digmine is coded in AutoIt, and sent to would-be victims posing as a video file but is actually an AutoIt executable script. If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends.

The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line. This functionality’s code is pushed from the command-and-control (C&C) server, which means it can be updated.

Infection Chain
Digmine is a downloader that will first connect to the C&C server to read its configuration and download multiple components. The initial configuration contains links where it downloads components, most of which are also hosted on the same C&C server. It saves the downloaded components in the %appdata%\ directory.

Digmine will also perform other routines such as installing a registry autostart mechanism as well as system infection marker. It will search and launch Chrome then load a malicious browser extension that it retrieves from the C&C server. If Chrome is already running, the malware will terminate and relaunch Chrome to ensure the extension is loaded.