Home Malware Programs Potentially Unwanted Programs (PUPs) Facexworm


Posted: May 15, 2018

Facexworm is a Bitcoin miner Trojan that hijacks your browser for cryptocurrency-generating activities. This threat spreads via Facebook and may compromise the login credentials of any associated accounts in use on an infected computer. Allow your anti-malware products to uninstall Facexworm securely before changing any compromised passwords as soon as possible.

Browser-Enslaved Mining in Your Favorite Social Platform

Threat actors are using popular social networks for committing various misdeeds, such as file-locking Trojans like the VevoLocker Ransomware or disguised spyware like StressPaint. One of the latest Trojan campaigns abusing the Facebook platform, Facexworm, demonstrates the frequency with which the con artists are subverting different online socializing and media services for circulating their threats and enabling other attacks. Like most Trojans benefiting from regular maintenance practices, Facexworm is for making money – in its case, by taking over the user's Chrome browser.

Facexworm installs itself through already-compromised victims by querying their Facebook friends lists and sending messages to these contacts automatically. The included fake Youtube links (which function only in Chrome; otherwise, the browser loads a random advertisement) ask the upcoming victim for permission with installing an extension. This browser add-on is Facexworm, which includes various, cryptocurrency-focused features for taking over the victim's Chrome browser.

The Facexworm's features include ones with and without symptoms for the victim's viewing, of which, malware analysts are emphasizing the following as the core of the Trojan:

  • Besides hijacking Facebook profiles, new versions of Facexworm also take over cryptocurrency trading accounts and activities on various websites. The Trojan also takes over any Bitcoin wallet accounts.
  • Facexworm can redirect the victim from unrelated websites to cryptocurrency referral programs intended for generating currency for the threat actor automatically.
  • Finally, the Trojan also includes a feature for 'mining' a cryptocurrency automatically by using the infected PC's hardware, such as its CPU. Unlike previous functions, this one requires no consent from the user and shows limited symptoms besides those typically associated with limited system resource availability (such as poor program performance).

Keeping Your Social Life Worm-Free

Since Facexworm requires additional data from a C&C server for finishing its installation, any users protecting their network traffic with strict firewall rules may block the Trojan at its source. Chrome also notifies the user of extended permissions requests during the install routine, which gives a victim a second chance to refuse the extension. Although Facexworm is being removed from the Chrome Web Store regularly, its threat actors also are re-uploading it in response, and the Trojan's campaign is under active updating and maintenance.

Due to many of Facexworm's features involving taking over the Chrome web-browsing experience, malware experts recommend using a different browser until after resolving the infection. Conventional anti-malware programs should identify and remove Facexworm easily, like most, corrupted extensions. Erasing cookies and other, temporary browsing data with any associations with sites promoted by this threat can prevent Chrome from loading related, unsafe content after the Trojan's removal.

For most Facebook users not in the habit of tracking their resource-usage statistics, Facexworm may be capable of making Bitcoins off of their browsers and hardware indefinitely. Double-checking your Task Manager for unusual software behavior, checking up on your friends' Web security, and avoiding strange browser extensions are simple, but effective responses to 'social' Trojans like this one.