Facebook, Chrome, and cryptocurrency users are being warned to be on the lookout for a new malware strain that infects victims’ computers in order to steal passwords and cryptocurrency funds.

Bitcoin hijackers are attempting to steal cryptocurrencies such as Bitcoin and Ethereum through a malware disguised as a legitimate Chrome extension.

The resurfaced and evolved ‘FacexWorm’ scams the unsuspecting victim into clicking on a link sent to his or her Facebook Messenger app.

This new strain was first spotted in late April by Trend Micro researchers and appears to be related to two other Facebook Messenger spam campaigns that took place in August and December 2017.

Security researchers report that FacexWorm has reappeared with new capabilities, targeting cryptocurrency platforms and lifting user data..

Trend Micro says it analyzed the extension and found numerous malicious functions. The rogue extension adds code to users’ Chrome browsers to steal login credentials.

“FacexWorm is a clone of a normal Chrome extension, but injected with short code containing its main routine,” explained Trend Micro fraud researcher Joseph Chen.

This behaviour isn’t active on all sites, but only when users are accessing Google, Coinhive, or MyMonero web accounts. Collected credentials are sent to the FacexWorm gang’s servers.

The rogue FacexWorm extension automatically redirects users to a web page pushing a cryptocurrency scam, asking users to send over a small Ether sum to verify their account.

The redirection takes place only when users try to access cryptocurrency-related sites.

The extension comes with a list of 52 websites on which the redirection becomes active. In addition, it will also show up on sites whose URLs also include terms such as “eth,” “ethereum,” or “blockchain.”

The extension also inserts a “cryptojacking” mining script, loading an instance of the Coinhive in-browser miner, which mines Monero for the FacexWorm gang.

Fourth, the rogue extension also switches recipient information for cryptocurrency transactions on trading platforms such as Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and

Trend Micro says FacexWorm can replace details for Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR) transactions, switching the recipient’s address with one owned by the FacexWorm malware creators.

FacexWorm only attacks Chrome.

If another browser is detected, an advertisement appears in place of the malware, according to the Register.

Victims who think they are clicking a link to a YouTube video are tricked into installing the malicious extension as a codec extension.

“FacexWorm is a clone of a normal Chrome extension but injected with short code containing its main routine. It downloads additional JavaScript code from the C&C server when the browser is opened.

Every time a victim opens a new webpage, FacexWorm will query its C&C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviours on that webpage”

When users try to access certain sites, the FacexWorm rogue extension also redirects users to referral URLs, which is another way in which the malware authors are earning money via their infected hosts.

The referral URL redirection has been spotted for sites such as Binance, DigitalOcean,,, and HashFlare.

Trend Micro played an integral role in shutting down this campaign as soon as it got started and reported it to both Google and Facebook. They say only one illegal transaction for a tiny amount took place before the scam was spotted.

Chrome Web Store staff are believed to have intervened by removing the extension, while Facebook banned domains associated with the spam messages.

Recent posts