The Nigel Thornberry Plague
The Threat Research team behind the discovery has dubbed this malware ‘Nigelthorn’ — since the extension’s original function is to replace images with pictures of ‘Nigel Thornberry‘, from the animated TV series ‘The Wild Thornberrys’.
Starting around March 2018 via socially-generated links on Facebook, the malware redirected people to a bogus YouTube page. Once there, you would be prompted to install a Google Chrome extension to play the video. Users who pressed “Add Extension” while using Chrome on a Windows or Linux, most likely have the malware installed in their botnet.
At this time, Radware believes only users on Windows or Linux using Google Chrome need to be concerned.
Real Nigelify Isn’t to Blame
According to Radware’s statistics, 75% of all infected users are located in the Philippines, Ecuador, and Venezuela. The rest was split between 97 unnamed countries.
The Threat Research team found out the malicious group created fake copies, with a hidden short script. They believe the purpose behind it was to bypass Google’s validation checks.
Nigelthorn is Just the Tip of the Iceberg
The Radware team was able to identify seven different threats of this kind. To their knowledge, Google has managed to block most of them — with the exception of Nigelfy and PwnerLike.
According to their statistics, none of the other five malware presented any danger; as they were all removed on the same day, they went live — Alt-j, Fix-case, Divinity 2 Original Sin: Wiki Skill Popup, keeprivate and iHabno are the other five.
The Real Purpose of the Malware
From there, the malware will start propagating itself. It will either send a message via Facebook Messenger or it will post on a user’s wall linking it to 50 people — Facebook’s maximum amount of users allowed.
Malware Wants More Than Your Facebook Credentials
Apart from stealing login accesses, the malware will also install a browser-mining tool available on Github. The group behind this malicious malware focused on mining Monero, Bytecoin, and Electroneum, all based on “CryptoNight” thus allowing mining via any CPU.
Radware identified ‘supportxmr.com,’ ‘etn.nanopool.org’ and ‘eu.bytecoin-pool.org’ as the operating pools for the malicious group. It seems the group has managed to mine a total of $1,000 USD in only six days from the Monero pool alone.
Malware is Smarter than your Smartphone
A number of fail-safes were written into the code of the malware. If by any chance, the user decided to remove it, the malware made it impossible to do so. Every time a new tab was opened to remove the extension, that tab would be immediately closed. The code will also stop cleanup tools and prevent users from trying to access its patterns.
Radware also believes the group tried to make money off of YouTube but hasn’t been able to find enough proof to back up the claim.