A new malware campaign detected by Radware’s threat research group is reported to be proliferating through fraudulent Facebook links. According to the research of Adi Raff and Yuval Shapira, the malware infects users by abusing a Google Chrome extension, the Nigelify application. Hence the malware has been dubbed Nigelthorn.
The malware has been known since March 2018. Malicious actors have socially engineered links on Facebook so that when users click on the link, they are redirected to a fake YouTube page. Rather than watching the video they expect to see, they are asked to install the dubious extension.
In addition to stealing the victim’s Facebook and Instagram credentials, the malware also collects data from the user’s Facebook account.
“This stolen information is then used to send malicious links to friends of the infected person in an effort to push the same malicious extensions further. If any of those friends click on the link, the whole infection process starts over again,” wrote The Hacker News.
All the while, an additional crypto-mining tool is also downloaded by the malware. While the group has been observed as attempting to mine Electroneum, Bytecoin, and Monero, they’ve had the greatest success mining from the Monero pool, earning approximately $1,000 in six days.
While Google’s security algorithms have blocked four of the seven malicious extensions identified by Radware researchers, attackers remain able to bypass Google’s extension validation checks by exploiting Nigelify and PwnerLike.
The Radware researchers wrote, “Zero-day malware leverages sophisticated evasion techniques that often bypass existing protections that skilled groups study. Nigelify, which Radware identified in a well-protected network, has gone undetected despite several security solutions.”