Home > Cyber News > Nigelthorn Malware Infects 100,000 Users via Facebook, Chrome Extensions

Nigelthorn Malware Infects 100,000 Users via Facebook, Chrome Extensions

Because of how popular it is among users worldwide, Facebook has often been leveraged in various scams and malware attacks. The social platform is regularly abused by cybercriminals who use it to spread their payloads via malicious links in messages.

The latest such case involves several legitimately looking Chrome extensions that spread the Nigelthorn malware and have been active at least since March this year. According to Radware researchers, more than 100,000 users have already been infected by the malware dispersed in the described attack.

Related Story: Spam in 2017: Cryptocurrency Scams Sneaked in the Inbox

More about the Nigelthorn Malware Campaign

On May 3, 2018, Radware researchers detected a zero-day malware threat at one of its customers, a global manufacturing firm. “This malware campaign is propagating via socially-engineered links on Facebook and is infecting users by abusing a Google Chrome extension (the ‘Nigelify’ application) that performs credential theft, cryptomining, click fraud and more,” the researchers explained.

The malware in question has been dubbed Nigelthorn, and is spreading rapidly across victims via links on Facebook. These links lead to malicious browser extensions that aim to steal Facebook login credentials, meanwhile installing cryptocurrency miners and engaging users in click fraud.

Apparently, Nigelthorn has been using at least seven Chrome browser extensions which were successfully hosted on the Chrome Web Store. Radware researchers were the first to uncover three of those malicious extensions after one of their customers was compromised.

Why was the malware dubbed Nigelthorn?

As explained by the original, the names comes from the fact that the original Nigelify application replaces pictures to “Nigel Thornberry” and is responsible for a large portion of the observed infections. As for the infection chain, the malware redirects victims to a fake YouTube page and asks them to install a Chrome extension to play the video.

Once the user clicks on “Add Extension,” the malicious extension is installed and the machine is now part of the botnet. The malware depends on Chrome and runs on both Windows and Linux. It is important to emphasize that the campaign focuses on Chrome browsers and Radware believes that users that do not use Chrome are not at risk.

Related Story: Chrome Web Store to Ban Cryptocurrency Mining Extensions

What is the Nigelthorn malware capable of?

The malware is primarily focused on harvesting Facebook credentials and Instagram logins. In addition, it also collects details from the compromised Facebook profiles. Not surprisingly, the stolen information is then used to further spread malicious links leading to the rogue extensions to friends of the infected user. Since users often fall for this malicious technique, the malware distribution may go on indefinitely.

Besides obtaining user credentials, the malware is also designed to download browser-based cryptocurrency miner in the form of a plugin. Once installed, the plugin starts mining the Monero, Bytecoin or Electroneum cryptocurrencies. Within 6 days, the Nigelthorn’s operators generated $1,000 in crypto, mostly Monero.

The worst part is that the malware appears to be quite persistent and attempts to prevent users from removing the malicious extensions. It automatically closes the extension tab each time the victim opens it, thus getting in the way of its removal. On top of that, the malware blacklists several clean-up tools by Facebook and Google and prevents victims from making any edits, delete posts and make comments.

Here is the list of the extensions spreading the Nigelthorn malware:

  • Nigelify
  • PwnerLike
  • Alt-j
  • Fix-case
  • Divinity 2 Original Sin: Wiki Skill Popup
  • Keeprivate
  • iHabno

Fortunately, Google was able to remove all of them from Chrome Web Store. Nonetheless, if you have been fooled by a link and ended up installing one of the listed extensions, you should immediately uninstall it. You should also change the passwords for your Facebook and Instagram accounts.

In addition, you should consider scanning your system via anti-malware software to make sure it is malware-free.


Malware Removal Tool

SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree