The Nigelthorn malware is involved in large-scale click fraud and illicit crypto-mining campaigns that have spread to over 100,000 computers found in various parts of the world. The primary tool used by the attackers is a bogus Chrome extension that goes by the name ‘Nigelify.’ Of course, getting a hundred thousand users to download a suspicious browser add-on is not an easy task so that the attackers have crafted an elaborate scheme to trick users into downloading the bogus extension.
The infection vector that the Nigelthorn’s operators rely on is a simple one – they use Facebook spam bots to spread fake messages that appear to link to a YouTube video. Users who access the link are taken to a page that is an identical copy of the YouTube video page, but it is not hosted on YouTube.com and, instead, it is a fake page that was set up by the attackers. If the users attempt to play the video, they may receive a notification that they need a special plug-in to view this content, and then be redirected to Nigelify’s download page.
The Nigelthorn also acquires persistency by disabling the user’s access to the Google Chrome extension manager, as well as by disrupting the work of popular Facebook and Chrome cleanup tools that are often used to deal with unwanted extensions and scripts. Researchers also have identified a Nigelthorn module that may serve the purpose of generating YouTube views, likes and subscriptions via the accounts used by the compromised computers.
To ensure that your computer is not a part of the Nigerlthorn’s campaign, you should use the services of an updated and trustworthy anti-malware software suite.