Individual research contributed by Adi Raff and Yuval Shapira.

On May 3, 2018, Radware’s cloud malware protection service detected a zero-day malware threat at one of its customers, a global manufacturing firm, by using machine-learning algorithms. This malware campaign is propagating via socially-engineered links on Facebook and is infecting users by abusing a Google Chrome extension (the ‘Nigelify’ application) that performs credential theft, cryptomining, click fraud and more.



Further investigation by Radware’s Threat Research group has revealed that this group has been active since at least March of 2018 and has already infected more than 100,000 users in over 100 countries. Facebook malware campaigns are not new. Examples of similar operations include facexworm and digimine, but this group appears to have been undetected until now thanks to the campaign consistently changing applications and the use of an evasive mechanism for spreading the malware.

Infection Process

Radware has dubbed the malware “Nigelthorn” since the original Nigelify application replaces pictures to “Nigel Thornberry” and is responsible for a large portion of the observed infections. The malware redirects victims to a fake YouTube page and asks the user to install a Chrome extension to play the video.

Once the user clicks on “Add Extension,” the malicious extension is installed and the machine is now part of the botnet. The malware depends on Chrome and runs on both Windows and Linux. It is important to emphasize that the campaign focuses on Chrome browsers and Radware believes that users that do not use Chrome are not at risk.

[You might also like: Stresspaint Malware Campaign Targeting Facebook Credentials]

Botnet Statistics

Radware gathered the statistics from various sources, including the malicious extension statistics on the Chrome web store and the Bitly URL shortening service. A victim that clicks on “Add Extension” is redirected to a Bitly URL from which they will be redirected to Facebook. This is done to trick users and retrieve access to their Facebook account. Over 75% of the infections cover the Philippines, Venezuela and Ecuador. The remaining 25% are distributed over 97 other countries.

Bypassing Google Application Validation Tools

The campaign operators created copies of legitimate extensions and inject a short, obfuscated malicious script to start the malware operation.

Radware believes that this is done to bypass Google’s extension validation checks. To date, Radware’s research group has observed seven of these malicious extensions, of which it appears four have been identified and blocked by Google’s security algorithms. Nigelify and PwnerLike remain active.

Known Extensions

The Malware

Once the extension is installed on the Chrome browser, a malicious JavaScript (see below) is executed that downloads the initial configuration from the C2.

Afterwards a set of requests is deployed, each with its own purpose and triggers. Here is the communication protocol.

Malware Capabilities

Data theft

The malware is focused on stealing Facebook login credentials and Instagram cookies. If login occurs on the machine (or an Instagram cookie is found), it will be sent to the C2.

The user is then redirected to a Facebook API to generate an access token that will also be sent to the C2 if successful.

Facebook Propagation

Authenticated users’ Facebook access tokens are generated and the propagation phase begins. The malware collects relevant account information for the purpose of spreading the malicious link to the user’s network. The C2 path “/php3/doms.php” is accessed and returns a random URI. For example:

This link is distributed one of two ways: as a message via Facebook Messenger or as a new post that includes tags for up to 50 contacts. Once the victim clicks on the link, the infection process starts over again and redirects them to a YouTube-like webpage that requires a “plugin installation” to view the video.

[You might also like: Why Cyber-Security Is Critical to The Loyalty of Your Most Valued Customers]

Cryptomining

Another plugin that is downloaded by the malware is a cryptomining tool. The attackers are using a publicly available browser-mining tool to get the infected machines to start mining cryptocurrencies. The JavaScript code is downloaded from external sites that the group controls and contains the mining pool. Radware observed that in the last several days the group was trying to mine three different coins (Monero, Bytecoin and Electroneum) that are all based on the “CryptoNight” algorithm that allows mining via any CPU.

The pools Radware has witnessed are:

• supportxmr.com – 46uYXvbapq6USyzybSCQTHKqWrhjEk5XyLaA4RKhcgd3WNpHVXNxFFbXQYETJox6C5Qzu8yiaxeXkAaQVZEX2BdCKxThKWA

• eu.bytecoin-pool.org – 241yb51LFEuR4LVWXvLdFs4hGEuFXZEAY56RB11aS6LXXG1MEKAiW13J6xZd4NfiSyUg9rbERYpZ7NCk5rptBMFE5uZEinQ

• etn.nanopool.org – etnk7ivXzujEHf1qXYfNZiczo4ohA4Rz8Fv4Yfc8c5cU1SRYWHVry7Jfq6XnqP5EcL1LiehpE3UzD3MBfAxnJfvh3gksNp3suN

At the time of writing, approximately $1,000 was mined over six days, mostly from the Monero pool.

Persistency

The malware uses numerous techniques to stay persistent on the machine and to ensure its activities on Facebook are persistent.

1. If the user tries to open the extensions tab to remove the extension, the malware closes it and prevents removal.

2. The malware downloads URI Regex from the C2 and blocks users that try to access those patterns. The following links demonstrate how the malware attempts to prevent access to what seems to be Facebook and Chrome cleanup tools and even prevents users from making edits, deleting posts and making comments.

• https://www.facebook.com/ajax/timeline/delete*

• https://www.facebook.com/privacy/selector/update/*

• https://www.facebook.com/react_composer/edit/init/*

• https://www.facebook.com/composer/edit/share/dialog/*

• https://www.facebook.com/react_composer/logging/ods/*

• https://www.facebook.com/ajax/bz

• https://www.facebook.com/si/sentry/display_time_block_appeal/?type=secure_account*

• https://www.facebook.com/ajax/mercury/delete_messages.php*

• https://www.facebook.com/ufi/edit/comment/*

• https://www.facebook.com/ufi/delete/comment/*

• https://www.facebook.com/checkpoint/flow*

• https://dl.google.com/*/chrome_cleanup_tool.exe*

• https://www.facebook.com/security/*/download*

• https://*.fbcdn.net/*.exe*

YouTube Fraud

Once the YouTube plugin is downloaded and executed, the malware attempts to access the URI “/php3/youtube.php” on the C2 to receive commands. The retrieved instructions can be to either watch, like or comment on a video or to subscribe to the page. Radware believes the group is trying to receive payments from YouTube though we have not witnessed any videos with high view counts. An example of an instruction from the C2:

{

“result”: [

{“id”: “5SSGxMAcp00”,

“type”: “watch”,

“name”: “Sanars\u0131n animasyon yap\u0131lm\u0131\u015f | Da\u011f k\u0131za\u011f\u0131 ANKARA”,

“time”: “07.05.2018 17:16:30 “},

{

“id”: “AuLgjMEMCzA”,

“start”: “47”,

“finish”: 1547,

“type”: “like”,

“name”: “DJI phantom 3 sahil”,

“time”: “07.05.2018 17:19:38 ”

},

{

“id”: “AuLgjMEMCzA”,

“type”: “watch”,

“name”: “DJI phantom 3 sahil”,

“time”: “07.05.2018 17:30:25 ”

}

]

}

[You might also like: The Cyber Threat Alliance – Stopping Attackers in their Tracks]

Malware Protection

Zero-day malware leverages sophisticated evasion techniques that often bypass existing protections that skilled groups study. Nigelify, which Radware identified in a well-protected network, has gone undetected despite several security solutions. Radware’s machine-learning algorithms have analyzed the communication logs of that large organization, correlating multiple indicators and blocked the C2 access from the infected machines. Radware’s Cloud Malware Protection Service provides several capabilities.

• Detect new zero-day malware using machine-learning algorithms

• Block new threats by integrating with existing protection mechanisms and defense layers

• Report on malware infection attempts in your organization’s network

• Audit defenses against new exploits and identify vulnerabilities

As this malware spreads, the group will continue to try to identify new ways to utilize the stolen assets. Such groups continuously create new malware and mutations to bypass security controls. Radware recommends individuals and organizations update their current password and only download applications from trusted sources.

Indicators of Compromise

The bad browser extensions have been reported to the appropriate party and they have been removed.