New Malware Uses a Facebook-YouTube-Chrome Combo to Steal Bitcoins

The FacexWorm has been around since late last year, but it has been continually upgraded to be more efficient in stealing Bitcoins. It’s use of a select blend of social media to propagate itself makes it rather unique and may portend a new approach that criminals may use,

Stage 1: Facebook Messenger

 Criminals get control of a Facebook account or at least an account that allows friends to be seen by anyone. Using Facebook Messenger, the attacker sends a message seeming to come from one of the victim’s contacts. The message will have the victim’s name, a random emoji, and, in it’s basic form, the word, ‘video’. There is a link on which the victim is supposed to click.

facex link

Recently, these messages have been upgraded to make it appear that the link goes to YouTube.

facex youtube link

The lack of any well-formed sentence leads one to suspect the attackers are either of foreign origin or are seeking victims in numerous countries.

Stage 2: YouTube

 If you click on the YouTube link above, the newer versions of FacexWorm will direct you to a fake, but superficially believable, YouTube page. But to view the video you were sent on Messenger, you are told you must install a codec, as seen in the example below.

facex codec

Although the URL has nothing to do with YouTube, the victim may overlook this because of the similarity of the page to an actual YouTube page. If the victim agrees to add the extension, the malware will, through a series of communications with the C&C (Command and Control) server, gain control of the victim’s original Facebook website and send similar messages to the victim’s contacts, propagating the infection.

Stage 3: Chrome Browser 

 As of this writing, the extension that the victim adds in the scenario above only works in Google’s Chrome browser. The malware injects code into a normal Chrome extension. In fact, new code is added with every new web page that the victim opens. The code is programmed to recognize if particular login pages are opened and will send the login information to the C&C server.

FacexWorm’s main function is to gather cryptocurreny. It is programmed to contact the C&C if the victim either visits one of 52 cryptocurrency sites or even writes the word of a particular cryptocurrency. Such actions will trigger the browser to go to a fake web page that matches the cryptocurrency that the victim has shown an interest in. Once at the scam web page, the victim will be asked to send a certain amount of cryptocurrency to the attacker’s wallet to prove they are a valid user. They are informed that the currency will be returned once it is validated. Of course, the money will never be seen again.

FacexWorm will also inject code in web pages in order to allow for cryptocurrency mining which will benefit the attacker. The mining is programmed to take no more than 20% of the infected computer’s CPU’s power which will slow down browsing but will not make it so obvious that the victim becomes suspicious.

If the victim actually does perform a transaction in one of the attacker’s targeted cryptocurrencies, the attacker replaces the recipient’s address with their own and, thereby, pockets the currency. According to the Trend Micro report, these are the targeted trading platforms: Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and the wallet These are the targeted currencies for this stage of victimization: Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR).

FacexWorm attackers can make money if they refer victims to particular cryptocurrency sites. They do this by redirecting a cryptocurrency web page request from the victim through the attacker’s site, making it appear that the attackers were the ones who referred the victim. Thus, if the victim registers an account, the attackers make a little money from having referred them. These are the sites that the attackers receive fees from: Binance, DigitalOcean,,, and HashFlare.

Here is a diagram from the Trend Micro report that summarizes how FacexWorm propagates.

facex diag

Circumventing FacexWorm

 If you are worried that a cryptocurrency web page is a fake, simply refresh the page and it will go to the real page. Make sure to check the URL. Refreshing the page works because the malware has code that prevents redirection to the same page within a certain time frame.

If the victim becomes suspicious, (possibly because they sense that their browsing is slower than usual) and tries to open the extension management menu in the Chrome browser, the malware will close the tab before any action can be taken.

The weak point in the attacker’s propagation is actually in the initial Facebook Messenger attack. Facebook algorithms can readily identify such simple links as malicious and they routinely remove them. Chrome has also been removing extensions containing the malicious code. Installing new updates is important to mitigate any FacexWorm attacks. The sad truth is that these removals only teach the attackers more about hiding their code.

It appears that this entire, somewhat sophisticated, malware exploit is still in the development stage. It is currently affecting computers in Asia and parts of Europe. In fact, the attackers may just be testing it out to see where the weak spots are. I would expect them to develop more techniques to bypass detection as time goes by because the FacexWorm package contains too many good exploits to simply toss aside. It should, when the time is right, begin to show up in the U.S. and that’s something you can bet on.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s