Luring users on social media to visit lookalike version of popular websites that pop-up a legitimate-looking Chrome extension installation window is one of the most common modus operandi of cybercriminals to spread malware.
Security researchers are again warning users of a new malware campaign that has been active since at least March this year and has already infected more than 100,000 users worldwide.
Dubbed Nigelthorn, the malware is rapidly spreading through socially engineered links on Facebook and infecting victims’ systems with malicious browser extensions that steal their social media credentials, install cryptocurrency miners, and engage them in click fraud.
The malware was pushed through at least seven different Chrome browser extensions—all were hosted on Google’s official Chrome Web Store.
These malicious Chrome browser extensions were first discovered by researchers at cybersecurity firm Radware, after a “well-protected network” of one of its customers, an unnamed global manufacturing firm, got compromised.
According to a report published by Radware, the malware operators are using copies of legitimate Google Chrome extensions and injecting a short obfuscated malicious script into them to bypass Google’s extension validation checks.
Researchers named the malware “Nigelthorn” after one of the malicious extensions which was the copy of popular ‘Nigelify’ extension designed to replace all pictures on a web page with gifs of ‘Nigel Thornberry.’
Nigelthorn Propagates Through Links Sent Over Facebook
Nigelthorn is spreading through socially engineered links on Facebook, which if clicked redirects victims to fake YouTube page, asking them to download a malicious Chrome extension, to continue playing the video.
A similar malware, dubbed Digimine, emerged last year that also worked by sending socially engineered links over Facebook Messenger and installed a malicious extension, allowing attackers to access the victims’ Facebook profile and spread the same malware to their friends’ list via Messenger.
We recently wrote about another similar malware campaign, dubbed FacexWorm, that was also distributed by sending socially engineered links over Facebook Messenger and redirected users to fake YouTube page, asking them to install a malicious Chrome extension.
NigelThorn Steals Password for Facebook/Instagram Accounts
The new malware majorly focuses on stealing credentials for victims’ Facebook and Instagram accounts and collecting details from their Facebook accounts.
This stolen information is then used to send malicious links to friends of the infected person in an effort to push the same malicious extensions further. If any of those friends click on the link, the whole infection process starts over again.
NigelThorn also downloads a publicly available, browser-based cryptocurrency mining tool as a plugin to trigger the infected systems to start mining cryptocurrencies, including Monero, Bytecoin or Electroneum.
Over the period of just 6 days, the attackers appeared to generate approximately $1,000 in cryptocurrencies, mostly Monero.
Nigelthorn is also persistent as to prevent users from removing the malicious extensions, it automatically closes the malicious extension tab each time the user opens it prevents removal.
The malware also blacklists a variety of clean-up tools offered by Facebook and Google and even prevents users from making edits, deleting posts and making comments.
List of Malicious Chrome Extensions
Here’s the name of all seven extensions masquerading as legitimate extensions:
- Divinity 2 Original Sin: Wiki Skill Popup
Although Google has removed all of the above-listed extensions, if you have installed any of them, you are advised to immediately uninstall it and change passwords for your Facebook, Instagram and as well as for other accounts where you are using the same credentials.
Since Facebook Spam campaigns are quite common, users are advised to be vigilant when clicking on links and files provided via the social media site platform.