近日,網(wǎng)絡(luò)安全公司趨勢(shì)科技的研究人員在谷歌Chrome瀏覽器中發(fā)現(xiàn)了一個(gè)惡意擴(kuò)展程序,它會(huì)使用多種方法從受感染的用戶那里竊取和挖掘加密貨幣。
The malware, which Trend Micro calls "FacexWorm", makes its way onto a victim's browser via socialengineering tactics conducted through FacebookMessenger.
趨勢(shì)科技將該惡意軟件稱為“FacexWorm”,它是通過Facebook Messenger進(jìn)行的社交工程策略侵入受害者的瀏覽器。
A target would receive a link leading to a fake YouTube page that would prompt the user toinstall an extension in order to play the video. Once the extension is installed, it'sprogrammed to hijack users' Facebook accounts and spread the link throughout their friendslist.
一個(gè)目標(biāo)會(huì)收到一個(gè)鏈接,彈出一個(gè)虛假的YouTube頁(yè)面,提示用戶安裝擴(kuò)展程序以播放視頻。一旦安裝了擴(kuò)展程序,它就會(huì)被編程為劫持用戶的Facebook賬號(hào)并將其鏈接傳播到他們的朋友列表中。
FacexWorm appears to be a Swiss Army knife of cryptocurrency-oriented malware. According toTrend Micro, the malicious extension has various capabilities:
FacexWorm似乎是面向加密貨幣惡意軟件的“瑞士軍刀”。據(jù)趨勢(shì)科技稱,惡意擴(kuò)展具有各種功能:
If an infected user tries logs into Google, MyMonero or Coinhive, FacexWorm will intercept thecredentials.
如果受感染用戶嘗試登錄谷歌、MyMonero或Coinhive,F(xiàn)acexWorm將攔截憑證。
When a victim tries to go to a specified set of cryptocurrency trading platforms, they getredirected to a scam site that requests a small amount of Ether, ostensibly for verificationpurposes.
當(dāng)受害者試圖訪問一組指定的加密貨幣交易平臺(tái)時(shí),他們會(huì)被重定向到一個(gè)要求少量Ether的騙局網(wǎng)站,表面上用于驗(yàn)證目的。
If FacexWorm detects that a user is on a cryptocurrency transaction page, the extensionreplaces the wallet address entered by the user with another one from the attacker.
如果FacexWorm檢測(cè)到用戶處于加密貨幣交易頁(yè)面,則擴(kuò)展程序?qū)⒂脩糨斎氲腻X包地址替換為攻擊者的另一個(gè)地址。
Trend Micro says currencies targeted include bitcoin, Bitcoin Gold, Bitcoin Cash, Dash, Ethereum, Ethereum Classic, Ripple, Litecoin, Zcash and Monero.
趨勢(shì)科技表示,目標(biāo)貨幣包括比特幣、比特幣黃金、比特幣現(xiàn)金、Dash、以太幣、Ethereum Classic、瑞波幣、萊特幣、Zcash和Monero。
Trying to go to certain websites will redirect a victim to a referral link that rewards theattacker.
試圖訪問某些網(wǎng)站會(huì)將受害者重定向到獎(jiǎng)勵(lì)攻擊者的推薦鏈接。
And, of course, FacexWorm has a cryptojacking component, using the victim's processor tomine for cryptocurrency.
當(dāng)然,F(xiàn)acexWorm還有一個(gè)加密組件,使用受害者的處理器來挖掘加密貨幣。
If an affected user appears to be trying to remove the malicious plugin, it has ways ofstopping them, Trend Micro says. If a user tries opening Chrome's extension managementpage, the malware will simply close the tab.
趨勢(shì)科技稱,如果受影響的用戶似乎試圖刪除惡意插件,它還有方式進(jìn)行阻止。如果用戶嘗試打開Chrome的擴(kuò)展管理頁(yè)面,惡意軟件將簡(jiǎn)單關(guān)閉該選項(xiàng)卡。
FacexWorm reportedly first surfaced last year. But it appears to be adware-oriented in its firstiteration and hasn't been very active until Trend Micro noticed it last month.
據(jù)報(bào)道,F(xiàn)acexWorm去年首次出現(xiàn)。但它在第一次迭代中似乎是面向廣告軟件的,并且在趨勢(shì)科技上個(gè)月發(fā)現(xiàn)它之前一直非?;钴S。
Trend Micro says it's only discovered one instance in which FacexWorm compromised a bitcointransaction, according to the attacker's digital wallet address, but that that there's no wayto tell for sure how much the attackers have actually profited.
根據(jù)攻擊者的數(shù)字錢包地址,只有FacexWorm發(fā)現(xiàn)了一個(gè)比特幣交易被入侵的例子,但是沒有辦法確定攻擊者實(shí)際獲利的多少。
The attacker is persistently trying to upload more FacexWorm-infected extensions to theChrome Web Store, the researchers say, but Google is proactively removing them.
研究人員說,攻擊者一直在試圖將更多受FacexWorm感染的擴(kuò)展程序上傳到Chrome網(wǎng)上應(yīng)用店,但Google正在主動(dòng)將其刪除。
Trend Micro says Facebook, with which it has a partnership, has automated measures thatdetect the bad links and block their spread.
趨勢(shì)科技稱Facebook與其建立了合作伙伴關(guān)系,已經(jīng)采用自動(dòng)化措施來檢測(cè)不良鏈接并阻止其傳播。