A new malware attack is targeting Facebook users’ passwords and money via the Facebook Messenger app.

The virus, named FacexWorm, is a modified version of a previously identified virus, Fox News reports. The virus uses Facebook messenger to send links to users, these links lead users to a fake YouTube page which then attempts to install a fake Chrome browser extension. This extension then attempts to steal users passwords and other personal data, any cryptocurrencies stored on the user’s computer and even attempts to utilize the user’s computer for cryptocurrency mining. The virus will also hijack users accounts and send YouTube links to other people on their contacts list in an attempt to spread the virus.

The main focus of the malware relates to cryptocurrency, targeting cryptocurrency exchanges with the aim of hijacking transactions or installing itself on machines to mine cryptocurrency without the machine owners knowledge. Jon Clay, director of Global Threat Communications at Trend Micro, commented on the malware saying “Cryptocurrency mining as a threat has been growing rapidly, and the threat actors have been looking at ways to increase their victim size so they can increase the number of devices performing the mining function.”

Clay further stated: “The more systems, the faster the mining operation, and hence the faster money can be made. This is one of many ways cybercriminals are looking to support their efforts.” He also stated that Trend Micros has seen a “massive increase” in these types of cryptocurrency mining attacks over the past few years.

Trend Micro released a full report on the virus, describing the viruses actions:

Steal the user’s account credentials for Google, MyMonero, and Coinhive — Once FacexWorm detects that the target website’s login page is open, it will inject a function that will send the credentials to its C&C server after the form is filled and the login button is clicked.

— Once FacexWorm detects that the target website’s login page is open, it will inject a function that will send the credentials to its C&C server after the form is filled and the login button is clicked. Push a cryptocurrency scam — When FacexWorm detects that the user is accessing any of the 52 cryptocurrency trading platforms it targets, or if the user is keying in keywords such as “blockchain,” “eth-,” or “ethereum” in the URL, it will redirect the victim to a scam webpage. The scam entices users to send 0.5 – 10 ether (ETH) to the attacker’s wallet address for verification purposes and promises to send back 5 – 100 ETH. Users can mitigate this by simply closing the page and reopening it to restore normal access to the original website. This is because the malicious extension reserves a timestamp in the cookie that prevents redirection to the scam page within an hour. However, redirection will resume if FacexWorm’s webpages of interest are accessed again. We have so far not found anyone who has sent ETH to the attacker’s address.

— When FacexWorm detects that the user is accessing any of the 52 cryptocurrency trading platforms it targets, or if the user is keying in keywords such as “blockchain,” “eth-,” or “ethereum” in the URL, it will redirect the victim to a scam webpage. The scam entices users to send 0.5 – 10 ether (ETH) to the attacker’s wallet address for verification purposes and promises to send back 5 – 100 ETH. Users can mitigate this by simply closing the page and reopening it to restore normal access to the original website. This is because the malicious extension reserves a timestamp in the cookie that prevents redirection to the scam page within an hour. However, redirection will resume if FacexWorm’s webpages of interest are accessed again. We have so far not found anyone who has sent ETH to the attacker’s address. Conduct malicious web cryptocurrency mining — FacexWorm also injects a JavaScript miner to webpages opened by the victim. The miner is an obfuscated Coinhive script connected to a Coinhive pool. Based on the script’s settings, the miner is configured to utilize 20 percent of the affected system’s CPU power for each thread and opens four threads to mining on webpages.

— FacexWorm also injects a JavaScript miner to webpages opened by the victim. The miner is an obfuscated Coinhive script connected to a Coinhive pool. Based on the script’s settings, the miner is configured to utilize 20 percent of the affected system’s CPU power for each thread and opens four threads to mining on webpages. Hijack cryptocurrency-related transactions — Once the victim opens the transaction page on a cryptocurrency-related website, FacexWorm locates the address keyed in by the victim and replaces it with another specified by the attacker. FacexWorm performs this on the trading platforms Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and the wallet Blockchain.info. Cryptocurrencies targeted include Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR). When we checked the attacker-assigned addresses (until April 19), we found that only one Bitcoin transaction (valued at $2.49) had been hijacked.

— Once the victim opens the transaction page on a cryptocurrency-related website, FacexWorm locates the address keyed in by the victim and replaces it with another specified by the attacker. FacexWorm performs this on the trading platforms Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and the wallet Blockchain.info. Cryptocurrencies targeted include Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR). When we checked the attacker-assigned addresses (until April 19), we found that only one Bitcoin transaction (valued at $2.49) had been hijacked. Earn from cryptocurrency-related referral programs — If the victim accesses a targeted website, FacexWorm redirects the page to the attacker-specified referral link for the same website. The attacker receives a referral incentive for every victim that registers an account. Targeted websites include Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, and HashFlare.

Read the report here.