Google has taken down a popular Chrome extension called Archive Poster, which was quietly mining cryptocurrency from over 105,000 users. According to a report by BleepingComputer, the extension has been deploying an in-browser cryptocurrency miner which hijacks a user’s CPU and mines for Monero without asking for any permissions. As per its description, Archive Poster is an extension which allows Tumblr users to “reblog, queue, draft and like posts directly from another blog's archive.”
As per the report, the Archive Poster app would hijack a user’s CPU to mine for cryptocurrency for the entire duration Chrome was active. Many user reviews of the extension revealed that it had incorporated the Coinhive in-browser miner in its source code, which was also used by “The Pirate Bay” for Cryptojacking users. Cryptojacking is the process of secretly mining cryptocurrencies using other people’s computer resources without their knowledge.
Facebook’s Messenger was also recently attacked with a new cryptocurrency-mining bot called “Digimine” to mine Monero. The bot only affects Facebook Messenger's desktop or web browser version. As per a previous report, it sends a file which if opened on other platforms, does not work as intended. It cryptojacks a user’s browser and also installs a registry autostart mechanism as well as system infection marker. It launches Chrome on its own to install a malicious browser extension that it retrieves from a command-and-control (C&C) server.
Also, the malware relaunches Chrome if it’s already running to make sure that the extension is installed. Although Chrome extensions can only be installed via the browser’s Web Store, attackers bypassed this by launching Chrome via command line.