Republic of the Philippines
National Police Commission
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 181 Understanding the Risk of FacexWorm Malware

Reference Number ACG-CSB 012220181

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.


The users of Facebook, Chrome and cryptocurrency are at high alert as a new and advanced version of malware called FacexWorm is at work. FacexWorm is a malware that spreads to Facebook users via a malicious link in a Facebook Messenger chat. When the link is clicked, it redirects the user to a fake YouTube page that gives instructions to install a YouTube-themed Chrome extension in the browser.

FacexWorm has expanded its capabilities to being able to carry out multiple malicious behaviors. This malware is designed to detect when a victim visits a website's login page for Google, MyMonero, and Coinhive, then steals and sends the credentials from the login form and sends it to its C2 server.

When the victim visits one of the 52 cryptocurrency trading platforms that the malware targets, they will be redirected to a scam page which instructs them to send either cryptocurrency to the attacker for validation, with promises of getting the money back with interest.

This worm enables contact with the command and control server to access Facebook. This connection results in more fake YouTube links being sent to contacts to continue the spread of the malware.

FacexWorm itself is a clone of a normal Google Chrome extension, but injected with malicious code. This is delivered by downloading additional JavaScript code each time the browser is opened and whenever a new website is opened.

When the victim initially downloads the malicious extension, a JavaScript cryptocurrency miner called Coinhive that mines the Monero Cryptocurrency is installed. If a cryptocurrency-related website is visited by the victim, the attacker will change the receiving wallet address of a transaction to an address controlled by the threat actor.

Moreover, hackers are attempting to gain cryptocurrency from different means like sending malicious referral links to users, who are buying currency vis these links. FacexWorm is also targeting customer using cryptocurrency miner. Furthermore, malware is equipped with the ability of hiding itself. For instance, when the extension management page is opened, FacexWorm will instantly close it. Also, hackers are using a shield to protect itself from exposure.

The frightening aspect of this attack is that hackers re-upload the extension on Chrome even after it is removed from the Chrome Web Store. If you do not want to be the victim of such attacks, think before sharing and enable a robust privacy setting of your social accounts.


All PNP personnel as well as the public are advise to follow the tips in order to avoid the risk of FacexWorm malware:

• Enforce a password policy;
• Turn off file sharing if not needed;
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task;
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services;
• If Bluetooth is not required for mobile devices, it should be turned off; and
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required.

For additional information, please refer to the following websites:


Please contact PMAJ ANGELICA STARLIGHT L. RIVERA, Chief, Personnel Records Management Section thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 7230401 local 3562 for any inquiries related to this CYBER SECURITY BULLETIN.