Nigelthorn Malware Abuses Chrome Extensions to Cryptomine and Steal Data


Individual research contributed by Adi Raff and Yuval Shapira.

On May 3, 2018, Radware’s cloud malware protection service detected a zero-day malware threat at one of its customers, a global manufacturing firm, by using machine-learning algorithms. This malware campaign is propagating via socially-engineered links on Facebook and is infecting users by abusing a Google Chrome extension (the ‘Nigelify’ application) that performs credential theft, cryptomining, click fraud and more.

Further investigation by Radware’s Threat Research group has revealed that this group has been active since at least March of 2018 and has already infected more than 100,000 users in over 100 countries. Facebook malware campaigns are not new. Examples of similar operations include facexworm and digimine, but this group appears to have been undetected until now thanks to the campaign consistently changing applications and the use of an evasive mechanism for spreading the malware.

Figure 1: The malware kill chain

Infection Process

Radware has dubbed the malware “Nigelthorn” since the original Nigelify application replaces pictures to “Nigel Thornberry” and is responsible for a large portion of the observed infections. The malware redirects victims to a fake YouTube page and asks the user to install a Chrome extension to play the video.

Figure 2: Fake YouTube page

Once the user clicks on “Add Extension,” the malicious extension is installed and the machine is now part of the botnet. The malware depends on Chrome and runs on both Windows and Linux. It is important to emphasize that the campaign focuses on Chrome browsers and Radware believes that users that do not use Chrome are not at risk.

[You might also like: Stresspaint Malware Campaign Targeting Facebook Credentials]

Botnet Statistics

Radware gathered the statistics from various sources, including the malicious extension statistics on the Chrome web store and the Bitly URL shortening service. A victim that clicks on “Add Extension” is redirected to a Bitly URL from which they will be redirected to Facebook. This is done to trick users and retrieve access to their Facebook account. Over 75% of the infections cover the Philippines, Venezuela and Ecuador. The remaining 25% are distributed over 97 other countries.

Figure 3: Bitly registration links with over 100,000 victims

Bypassing Google Application Validation Tools

The campaign operators created copies of legitimate extensions and inject a short, obfuscated malicious script to start the malware operation.

Figure 4: Legitimate version on the left, malicious version on the right

Radware believes that this is done to bypass Google’s extension validation checks. To date, Radware’s research group has observed seven of these malicious extensions, of which it appears four have been identified and blocked by Google’s security algorithms. Nigelify and PwnerLike remain active.

Known Extensions

The Malware

Once the extension is installed on the Chrome browser, a malicious JavaScript (see below) is executed that downloads the initial configuration from the C2.

Figure 5: Configuration file obtained from the C2

Afterwards a set of requests is deployed, each with its own purpose and triggers. Here is the communication protocol.

Malware Capabilities

Data theft

The malware is focused on stealing Facebook login credentials and Instagram cookies. If login occurs on the machine (or an Instagram cookie is found), it will be sent to the C2.

The user is then redirected to a Facebook API to generate an access token that will also be sent to the C2 if successful.

Facebook Propagation
Authenticated users’ Facebook access tokens are generated and the propagation phase begins. The malware collects relevant account information for the purpose of spreading the malicious link to the user’s network. The C2 path “/php3/doms.php” is accessed and returns a random URI. For example:


This link is distributed one of two ways: as a message via Facebook Messenger or as a new post that includes tags for up to 50 contacts. Once the victim clicks on the link, the infection process starts over again and redirects them to a YouTube-like webpage that requires a “plugin installation” to view the video.

[You might also like: Why Cyber-Security Is Critical to The Loyalty of Your Most Valued Customers]


Another plugin that is downloaded by the malware is a cryptomining tool. The attackers are using a publicly available browser-mining tool to get the infected machines to start mining cryptocurrencies. The JavaScript code is downloaded from external sites that the group controls and contains the mining pool. Radware observed that in the last several days the group was trying to mine three different coins (Monero, Bytecoin and Electroneum) that are all based on the “CryptoNight” algorithm that allows mining via any CPU.

The pools Radware has witnessed are:
• – 46uYXvbapq6USyzybSCQTHKqWrhjEk5XyLaA4RKhcgd3WNpHVXNxFFbXQYETJox6C5Qzu8yiaxeXkAaQVZEX2BdCKxThKWA
• – 241yb51LFEuR4LVWXvLdFs4hGEuFXZEAY56RB11aS6LXXG1MEKAiW13J6xZd4NfiSyUg9rbERYpZ7NCk5rptBMFE5uZEinQ
• – etnk7ivXzujEHf1qXYfNZiczo4ohA4Rz8Fv4Yfc8c5cU1SRYWHVry7Jfq6XnqP5EcL1LiehpE3UzD3MBfAxnJfvh3gksNp3suN

At the time of writing, approximately $1,000 was mined over six days, mostly from the Monero pool.

Figure 6: Cryptomining


The malware uses numerous techniques to stay persistent on the machine and to ensure its activities on Facebook are persistent.

1. If the user tries to open the extensions tab to remove the extension, the malware closes it and prevents removal.


2. The malware downloads URI Regex from the C2 and blocks users that try to access those patterns. The following links demonstrate how the malware attempts to prevent access to what seems to be Facebook and Chrome cleanup tools and even prevents users from making edits, deleting posts and making comments.

• https://**.exe*

YouTube Fraud
Once the YouTube plugin is downloaded and executed, the malware attempts to access the URI “/php3/youtube.php” on the C2 to receive commands. The retrieved instructions can be to either watch, like or comment on a video or to subscribe to the page. Radware believes the group is trying to receive payments from YouTube though we have not witnessed any videos with high view counts. An example of an instruction from the C2:

“result”: [
{“id”: “5SSGxMAcp00”,
“type”: “watch”,
“name”: “Sanars\u0131n animasyon yap\u0131lm\u0131\u015f | Da\u011f k\u0131za\u011f\u0131 ANKARA”,
“time”: “07.05.2018 17:16:30 “},
“id”: “AuLgjMEMCzA”,
“start”: “47”,
“finish”: 1547,
“type”: “like”,
“name”: “DJI phantom 3 sahil”,
“time”: “07.05.2018 17:19:38 ”
“id”: “AuLgjMEMCzA”,
“type”: “watch”,
“name”: “DJI phantom 3 sahil”,
“time”: “07.05.2018 17:30:25 ”

[You might also like: The Cyber Threat Alliance – Stopping Attackers in their Tracks]

Malware Protection

Zero-day malware leverages sophisticated evasion techniques that often bypass existing protections that skilled groups study. Nigelify, which Radware identified in a well-protected network, has gone undetected despite several security solutions. Radware’s machine-learning algorithms have analyzed the communication logs of that large organization, correlating multiple indicators and blocked the C2 access from the infected machines. Radware’s Cloud Malware Protection Service provides several capabilities.

• Detect new zero-day malware using machine-learning algorithms
• Block new threats by integrating with existing protection mechanisms and defense layers
• Report on malware infection attempts in your organization’s network
• Audit defenses against new exploits and identify vulnerabilities

As this malware spreads, the group will continue to try to identify new ways to utilize the stolen assets. Such groups continuously create new malware and mutations to bypass security controls. Radware recommends individuals and organizations update their current password and only download applications from trusted sources.

Figure 7: Diagram of solution architecture that outlines how Radware identified the malware bypassing the Secure Web Gateway

Indicators of Compromise

The bad browser extensions have been reported to the appropriate party and they have been removed.

Read “2017-2018 Global Application & Network Security Report” to learn more.

Download Now


  1. […] 加密貨幣劫持者秘密地將惡意軟件插入到腳本中,從而達到挖掘加密貨幣卻不會出現黑客入侵警報的目的。今年5月,網絡安全公司Radware對幾個加密貨幣挖礦惡意軟件Chrome擴展程序進行了報道,這些擴展程序“注入了一個簡短的、混淆的惡意腳本”,以“繞過谷歌的擴展程序驗證檢查”。 […]

  2. Thanks for this awesome Information. You already know to be wary of third-party Android apps, and even to watch your back in the Google Play Store. A flashlight app with only 12 reviews might be hiding some malware as well. But your hyper-vigilant download habits should extend beyond your smartphone. You need to keep an eye on your desktop Chrome extensions as well.

    These handy little applets give you seamless access to services like Evernote or password managers or put your Bitmoji just a click away. As with Android apps, though, Chrome extensions can sometimes hide malware or other scourges, even when you install them from the official Chrome Web Store. Google says that malicious extension installs have decreased by roughly 70 percent over the last two and a half years, but a steady stream of recent research how to get help in windows 10 findings show that the problem, and risk to users, is far from resolved.

  3. A new strain of malware, dubbed Nigelthorn malware because it abuses a Google Chrome extension called Nigelify, has already infected over 100,000 systems in 100 countries, most of them in the Philippines, Venezuela, and Ecuador (Over 75%).

    The new malware family is capable of credential theft, crypto mining, click fraud, and other malicious activities.

    According to the experts, the threat actor behind this campaign has been active since at least March 2018.

    The Nigelthorn malware is spreading through links on Facebook, victims are redirected to a fake YouTube page that asks them to download and install how to get help in windows 10 Chrome extension to play the video. Once the victims accepted the installation, the malicious extension will be added to their browser.

  4. so many extensions. But for watching youtube videos I have to watch at 2-3x speed and like fine adjustments. Youtube Playback Speed Control is a must. BTW I watched this video at 1.75. but some people are so slllllooooowww i have watched at 5x speed. It helps keep your attention and allows you to get more videos in a day.

  5. Another great extension is ‘Search Google for Image’. Right clicking the image above gives links that tell us it is some sort of speaker that bombards a microprocessor with sound waves that force it to accept commands. The heading for the article is ‘It’s Possible to Hack a Phone with Sound Waves’. I’d love it to have been a USB microscope though, but I suspect they are out there.

  6. […] Security firm Radware uncovered the attack known they dubbed “Nigelthorn” through its machine-learning algorithms.  The attack was spread through Facebook, as users would click to a fake YouTube page, which directed users to download an extension to view the video.  Once installed, the chrome extension malware became capable of stealing user credentials, committing click fraud and installing cryptomining scripts on the local machine. […]


Please enter your comment!
Please enter your name here