Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 181 Understanding the Risk of FacexWorm Malware
Reference Number ACG-CSB 012220181
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
The users of Facebook, Chrome and cryptocurrency are at high alert as a new and advanced version of malware called FacexWorm is at work. FacexWorm is a malware that spreads to Facebook users via a malicious link in a Facebook Messenger chat. When the link is clicked, it redirects the user to a fake YouTube page that gives instructions to install a YouTube-themed Chrome extension in the browser.
FacexWorm has expanded its capabilities to being able to carry out multiple malicious behaviors. This malware is designed to detect when a victim visits a website's login page for Google, MyMonero, and Coinhive, then steals and sends the credentials from the login form and sends it to its C2 server.
When the victim visits one of the 52 cryptocurrency trading platforms that the malware targets, they will be redirected to a scam page which instructs them to send either cryptocurrency to the attacker for validation, with promises of getting the money back with interest.
This worm enables contact with the command and control server to access Facebook. This connection results in more fake YouTube links being sent to contacts to continue the spread of the malware.
Moreover, hackers are attempting to gain cryptocurrency from different means like sending malicious referral links to users, who are buying currency vis these links. FacexWorm is also targeting customer using cryptocurrency miner. Furthermore, malware is equipped with the ability of hiding itself. For instance, when the extension management page is opened, FacexWorm will instantly close it. Also, hackers are using a shield to protect itself from exposure.
The frightening aspect of this attack is that hackers re-upload the extension on Chrome even after it is removed from the Chrome Web Store. If you do not want to be the victim of such attacks, think before sharing and enable a robust privacy setting of your social accounts.
All PNP personnel as well as the public are advise to follow the tips in order to avoid the risk of FacexWorm malware:
• Enforce a password policy;
• Turn off file sharing if not needed;
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task;
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services;
• If Bluetooth is not required for mobile devices, it should be turned off; and
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required.
For additional information, please refer to the following websites:
POINT OF CONTACT