Nigelthorn Chrome Extension Malware

Nigelthorn is malware that has targeted the Chrome browser since March 2018 and is capable of stealing account credentials, mining cryptocurrency and generating fraudulent clicks.

Threat ID:: CC-2388
Category:: Botnet
Threat Severity:: Low
Threat Vector:: Download
Published:: 15 May 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Nigelthorn is malware that has targeted the Chrome browser since March 2018 and is capable of stealing account credentials, mining cryptocurrency and generating fraudulent clicks.

Affected platforms

The following platforms are known to be affected:

Google Chrome

Google Chrome - All versions

Threat details

The Nigelthorn malware spreads via social engineering, with users encouraged to click on links that lead to fake YouTube web pages. These web pages ask users to install a Chrome browser extension that appears legitimate in order to play the video, but the extension actually communicates with a Command and Control (C2) server.

When the malicious extension is run, users are redirected to Facebook in an attempt to compromise their accounts. Facebook and Instagram account credentials, authentication tokens and cookies are all uploaded to the C2 server. Nigelthorn uses the stolen accounts to spread further by publishing malicious links in spam messages or in posts which tag the user's contacts.

Nigelthorn also runs a browser-based cryptocurrency miner and generates false views, likes and comments on YouTube videos. The malware is capable of defeating some removal attempts, by preventing the extensions manager and some other Chrome and Facebook administration tools from being opened.

Remediation advice

To prevent and detect an infection, ensure that:

Remediation steps

Type	Step
	Permissions are set so that users cannot install untrusted browser extensions. A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place and password reuse is discouraged. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

Permissions are set so that users cannot install untrusted browser extensions.
A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place and password reuse is discouraged.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 17 February 2020 12:50 pm