Researchers with cybersecurity firm Trend Micro have uncovered a malicious extension in Google’s Chrome web browser that uses a multitude of methods to steal and mine cryptocurrency from infected users.
网络安全公司趋势科技(Trend Micro)的研究人员在谷歌Chrome浏览器中发现了一个恶意扩展程序,它使用多种方法从受感染的用户那里窃取和挖掘加密货币。
The malware, which Trend Micro calls “FacexWorm”, makes its way onto a victim’s browser via social engineering tactics conducted through Facebook Messenger. A target would receive a link leading to a fake YouTube page that would prompt the user to install an extension in order to play the video. Once the extension is installed, it’s programmed to hijack users’ Facebook accounts and spread the link throughout their friends list.
趋势科技称为“FacexWorm”的恶意软件通过Facebook Messenger进行的社交工程策略侵入受害者的浏览器。一个目标会收到一个链接,弹出一个虚假的YouTube页面,提示用户安装扩展程序以播放视频。一旦安装了扩展程序,它就会被编程为劫持用户的Facebook账号并将其链接传播到他们的朋友列表中。
FacexWorm appears to be a Swiss Army knife of cryptocurrency-oriented malware. According to Trend Micro, the malicious extension has various capabilities:
FacexWorm似乎是面向加密货币恶意软件的“瑞士军刀”,包含多种可能性。据趋势科技称,恶意扩展具有各种功能:
If an infected user tries logs into Google, MyMonero or Coinhive, FacexWorm will intercept the credentials.
如果受感染用户尝试登录谷歌,MyMonero或Coinhive,FacexWorm将拦截凭证。
When a victim tries to go to a specified set of cryptocurrency trading platforms, they get redirected to a scam site that requests a small amount of Ether, ostensibly for verification purposes.
当受害者试图访问一组指定的加密货币交易平台时,他们会被重定向到一个要求少量Ether的骗局网站,表面上用于验证目的。
If FacexWorm detects that a user is on a cryptocurrency transaction page, the extension replaces the wallet address entered by the user with another one from the attacker. Trend Micro says currencies targeted include bitcoin, Bitcoin Gold, Bitcoin Cash, Dash, Ethereum, Ethereum Classic, Ripple, Litecoin, Zcash and Monero.
如果FacexWorm检测到用户处于加密货币交易页面,则扩展程序将用户输入的钱包地址替换为攻击者的另一个地址。趋势科技表示,目标货币包括比特币、比特币黄金、比特币现金、Dash,以太币,Ethereum Classic、瑞波币,莱特币,Zcash和Monero。
Trying to go to certain websites will redirect a victim to a referral link that rewards the attacker.
试图访问某些网站会将受害者重定向到奖励攻击者的推荐链接。
And, of course, FacexWorm has a cryptojacking component, using the victim’s processor to mine for cryptocurrency.
当然,FacexWorm还有一个加密组件,使用受害者的处理器来挖掘加密货币。
If an affected user appears to be trying to remove the malicious plugin, it has ways of stopping them, Trend Micro says. If a user tries opening Chrome’s extension management page, the malware will simply close the tab.
趋势科技称,如果受影响的用户似乎试图删除恶意插件,还可以阻止它们。如果用户尝试打开Chrome的扩展管理页面,恶意软件将简单关闭该选项卡。
FacexWorm reportedly first surfaced last year. But it appears to be adware-oriented in its first iteration and hasn’t been very active until Trend Micro noticed it last month.
据报道,FacexWorm去年首次出现。但它在第一次迭代中似乎是面向广告软件的,并且在趋势科技上个月发现它之前一直非常活跃。
Trend Micro says it’s only discovered one instance in which FacexWorm compromised a bitcoin transaction, according to the attacker’s digital wallet address, but that that there’s no way to tell for sure how much the attackers have actually profited.
根据攻击者的数字钱包地址,只有FacexWorm发现了一个比特币交易被入侵的例子,但是没有办法确定攻击者实际获利的多少。
The attacker is persistently trying to upload more FacexWorm-infected extensions to the Chrome Web Store, the researchers say, but Google is proactively removing them. Trend Micro says Facebook, with which it has a partnership, has automated measures that detect the bad links and block their spread.
研究人员说,攻击者一直在试图将更多受FacexWorm感染的扩展程序上传到Chrome网上应用店,但Google正在主动将其删除。趋势科技称Facebook与其建立了合作伙伴关系,它采用自动化措施来检测不良链接并阻止其传播。
新年伊始,听说有好多同学声称自己去年的读书li...
不知是不是因为今年疫情的缘故,总觉得时间过得...
2020年即将过去,本年度的【好书荐读】系列也迎...