What is FacexWorm Extension?
FacexWorm is a malicious browser extension. It is not actually a new malware. It was detected in August 2017. However, a new version of FacexWorm is rediscovered in late April 2018 by security researchers.
The Modus operandi of this browser extension is same as its previous versions, but the new variant is primarily focused on Facebook, Google Chrome and cryptocurrency users.
ALSO READ: How to Remove MusicFinder Search Browser Extension Virus (SOLVED!)
FacexWorm infects users with the intention of spamming Facebook users, stealing credentials and stealing cryptocurrency funds. Therefore, it is advised to delete FacexWorm from your system as soon as possible. Read the complete article to know how to remove FacexWorm from your system.
FacexWorm spam campaign is similar to two other Facebook Messenger spam campaigns, one that took place in late August 2017 and another in December 2017.
How FacexWorm spreads and infects users?
The FacexWorm infection usually infects the users through Facebook Messenger. The users receive a spam link via Facebook Messenger as the attackers spread the malicious link to all friends of the victim.
When the users click the spam URL, the URL redirects the user to a fake Youtube page, which tricks the user into installing a fake YouTube-themed Chrome browser extension.
It asks the users to play the video on the fake Youtube page which will then request permission to access and change data on the opened website.
In order to spread, FacexWorm establishes communication with C&C to check the propagation function. If the propagation function is activated, it performs various queries to obtain user’s Facebook account’s friends list. It then sends fake YouTube video links to the friends who are online or in idle status.
FacexWorm also shows up on websites whose URLs also include terms such as "eth" "ethereum" or "blockchain".
ALSO READ: Remove Cryptomining Malware (Clean All Malware from System Completely)
Harmful Effects of FacexWorm
The numerous malicious functions of FacexWorm are:
- The extension injects malicious mining codes on the webpage.
- It redirects users to the attacker's referral link for cryptocurrency-related referral programs.
- It downloads and installs malicious JavaScript from the command and control server.
- It adds code to Chrome browser of the users to steal login credentials from login forms. The collected credentials are sent to the servers of the FacexWorm gang.
- The rogue extension automatically redirects users to scam pages carrying out a cryptocurrency scam. It asks users to send a small amount of money to verify their account. This redirection occurs only when users attempt to access cryptocurrency-related websites.
- The extension inserts a cryptojacking mining script in the web browser.
- FacexWorm can also steal cryptocurrency
- It switches the recipient’s address to one of the address of FacexWorm extension creators for cryptocurrency transactions on trading platforms such as Poloniex, Bitfinex, HitBTC, Ethfinex, Binance, etc. This way it steals cryptocurrency.
- When the users try to access certain websites, FacexWorm redirects users to referral URLs. This is another way through which the malware creators are earning money via their infected hosts. The referral URL redirection has been identified for sites such as HashFlare, Binance, FreeBitco.in, DigitalOcean, and FreeDoge.co.in.
- It hijacks transactions in trading platforms and web wallets.
- It steals the victim’s account credentials for Coinhive, Google and MyMonero. Once FacexWorm discovers that the target website’s login page is loaded, it will inject a malicious function. This function sends the credentials to its C&C server when the form is completely filled and the login button is clicked.
- When FacexWorm notices that the user is using keywords such as “eth-”, “ethereum” or “blockchain” in the URL, or if the user is accessing any of the 52 targeted cryptocurrency trading platforms, the FacexWorm extension will redirect the users to a scam webpage and carry out a cryptocurrency scam.
- When the user opens the transaction page on a cryptocurrency-related website, the malicious extension locates the address typed in by the victim. It then replaces the address with another one which is specified by the attacker. This way it hijacks cryptocurrency-related transactions.
Persistence Mechanism
The FacexWorm extension uses a mechanism to prevent victims from removing the rogue extension from their browser. If FacexWorm detects that the victim is opening the Chrome extension management page through “chrome://extensions/”, it immediately closes the opened tab. Find the FacexWorm extension removal process here.
How to Remove FacexWorm?
As you can see, it is practically impossible to manually remove FacexWorm from your browser. Use a FacexWorm cleaner tool to quickly and easily get rid of FacexWorm browser extension.
Tips to Prevent virus and malware from Infecting Your System:
- Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for Chrome, Mozilla, and IE
- Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
- Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool
