On the morning of 26th June, news of a phishing campaign hit the Israeli media. Thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment.
Kaspersky Lab decided to investigate. We quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. We also found that the attack was not confined to Israel, but was hitting targets worldwide.
The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating their legitimate browser session and replacing it with a malicious one that included a tab to the legitimate Facebook login page. This was designed to lure the victim back into the social network site.
Upon logging back into Facebook the victim’s session was hijacked in the background and a new file was downloaded. This represented the second stage of the attack, as embedded in this file was an account-takeover script that included a privacy-settings changer, account-data extractor and other tools that could be used for further malicious activity, such as spam, identity theft and generating fraudulent ‘likes’ and ‘shares’. Further, the malware infection loop began again as malicious notifications were sent to all the victim’s Facebook friends.
The Kaspersky Security Network (KSN) recorded almost ten thousand infection attempts around the globe in the space of just 48 hours.
Facebook has now mitigated this threat and is blocking techniques used to spread malware from infected computers. It says that it has not observed any further infection attempts. Google has also removed at least one of the culprit extensions from the Chrome Web Store.
The most affected countries were Brazil, Poland, Peru, Colombia, Mexico, Ecuador, Greece, Portugal, Tunisia, Venezuela, Germany and, finally, Israel.
On a pie chart we can more easily see how the infection spread around the globe:
It’s worth mentioning that people using Windows-based computers to access Facebook were at the greatest risk. Those using Windows OS phones could have been at risk too, although this is less likely. Users of Android and iOS mobile devices were completely immune since the malware uses libraries which are not compatible with these mobile operating systems.
Malware downloaded from an Android device with invalid format error
The infection process
The infection seemed to begin when victims received a notification of a Facebook “mention” that appeared to come from a friend:
This provided the attackers with a rabbit hole through which they could hijack the user’s Facebook session and permissions and send out malicious notifications to the victim’s Facebook friends. During our investigation we found the script that was responsible for the delivery of the malicious notification. This script was triggered when the user of a compromised machine attempted to login to Facebook via a malicious Chrome shortcut.
Size: 5.31 KB
The malicious file above was involved in the specific attack discussed in this blogpost. A Trojan downloader generator was discovered residing in the following domains:
A Facebook post that delivered the JSE malware downloader
The malicious code starts after a #NoTrayIcon; initializing variables and immediately starting to send arguments to the decryption routine located at the end of the script. The majority of the payloads are encrypted. However the decryption key is hardcoded and the standard function can be copied outside of the code and automated for safe decryption.
$KS50476D12399 = BinaryToString($KS50476D12399)
$YK28157F62492 = _Crypt_DecryptData($KS50476D12399, $JF22904R13060, $CALG_AES_256)
$YK28157F62492 = BinaryToString($YK28157F62492)
Or in a more simplified way:
$encrypted_input = BinaryToString($encrypted_input)
$decrypt_output = _Crypt_DecryptData($payload, $key, $CALG_AES_256)
$decrypted_output = BinaryToString($decrypted_output)
The function takes two arguments. One is a hexadecimal string which represents the encrypted payload and the other is a the key. The encryption algorithm used in _Crypt_DecryptData() is CALG_AES_256, 256 bit AES, which is hardcoded as well.
The code is generally pretty straightforward. Even without decrypting the encrypted content one can spot the stored variables being used: ProcessExists, ProcessClosed, DirCreate, AppDataDir, RegRead, FileDelete, DesktopDir and so on. In addition, the author left comments for the reader which can be very helpful.
The full code snippet can be found here: http://pastebin.com/raw/k8m0QP1p
The group obfuscate their infrastructure using Cloudflare and register domains with WHOIS guard privacy protection. They also monitor each infection using third party analytics scripts.
We have found that this particular threat actor seems to prefer using the following providers: Amazon AWS, Google, WhosAmungUs, TinyURL, Bitly, Cloudflare and more, suggesting that it favours freeware over paid services.
What’s on the menu?
Once executed, the malicious script opens a socket to one of its command and control (C&C) servers, calling up a dozen files and downloading them one after the other from the C&C server, all with the same image extension (.jpg). The script then replaces this extension with the real ones. We’ve documented the following file extensions:
exe – utility to load malicious .au3 scripts.
bat – batch file that executes the binary, appending .au3 scripts as arguments.
au3 – malware code.
zip – empty zip.
json – manifest for Chrome extension configurations.
dat – malware version.
js – additional scripts supporting the Chrome extension and scripts to collect victims’ statistics.
Looking at the JSE file content, the first code segment is an array of strings. These strings are simply appended to the code and are in this form for the sake of code obfuscation.
Strings stored in the JSE file containing the C&C server and malicious files
At the top we see the strings responsible for opening the connection with the remote C&C server, followed by those for reading the files and changing their extension. The %APPDATA%, ExpandEnvironmentStrings and Mozila represent the actual location where the malicious files will be stored.
Looking at the destination folder of the malicious files we see a weird-looking variable name: Mozklasor. This translates to “Purple Folder” in Turkish, and points to Turkish-speaking threat actors, as mentioned above.
Creating %AppData%\Mozila directory to transfer malicious files
Browsers closed unexpectedly and new apps were added on the desktop
The malware terminated the Chrome process we were browsing in. In the same situation the most natural behaviour for a victim would be to look for the nearest browser application and execute it. Once the browser shortcut is executed, we notice two suspicious items.
Victim is lured into opening a malicious Chrome shortcut
The browser opens with an additional tab containing the Facebook login page. The threat actor believed that users who (like us) had been browsing through Facebook before encountering the malware, would simply expect the browser to restore the website. An important note for the sharp-eyed is that the restore window is open. This means that the Facebook page has not yet been restored by the user.
The second (tiny) item is an extension that had been silently added to the Chrome extensions list. It appears as an [a-z] one character with grey background in the top right-hand side.
Looking in the Mozila folder again we can identify a Manifest.json file which points to the fact that the infection process involves an extension.
A malicious extension is being added to Chrome
Browser extension permissions in detail
Alongside the permissions that the extension receives, it loads an external script (bg.js). This script is responsible for protecting it from being deleted. It also contains a listener to outgoing DNS-resolving queries sent via the URL bar, and blocks a large number of black-listed web domains.
Black-listed domains which are blocked from access
If the user attempts to access one of these websites, the browser will return the following error:
Black-listed domains blocked
After logging in, it can be seen that the attack was executed and that the user’s entire Facebook list was notified by the victim about a new URL. Upon clicking on this URL, the user’s friends will also become malware hosts and the infection process will loop again, through their friends.
Once the Chrome browser has been opened with the malicious extension, the Facebook page also opens in a new tab, luring a user into a connection. Once connected, a script starts to run in the background. This script iterates through three domains to capture the login attempt and send a malicious script that will regenerate the initial infection through Facebook.
Upon the Facebook login attempt the malware captures the traffic
Inspecting the code, a readable string looks very familiar. It is the initial infection link from the beginning of the article. In addition to the infection routine, an account-takeover script has also been also embedded in the same file with a privacy-settings changer, account data extractor and other tools.
To sum it up, the delivery of the malware was found to be very efficient and made its way through thousands of users in only 48 hours. The fast reaction from consumers and the media proved to be the core power driving awareness of this campaign. The social media network and service providers were also fast in blocking the attack.
Am I infected?
The easiest way to check if you are infected is to open your Chrome browser and look for the extension named thnudoaitawxjvuGB. For a more thorough check, click Start > Run > copy the following command: %AppData%\Mozila if the folder and files such as “autoit.exe” and “ekl.au3” are in it, the computer is infected.
I was infected, what can I do?
Logout from your Facebook account, close the browser and disconnect the network cable from your computer. It is recommended that you ask an expert to check the computer and clean out any remaining malware. In addition, install an updated anti-virus program.
Kaspersky Lab products detect and block the threat, preventing it from infecting the machine.
A friend mentioned me in a post. Should I click on it?
Yes, keep using your social media as you did in the past. Just be aware that files which you do not recognize should not be installed on your computer or mobile phone.
I opened the file through my mobile phone, am I infected?
If you don’t have a Windows phone you cannot be infected through your smartphone. This malware is compatible only with Windows environments.
How can I prevent myself from becoming a victim?
The more we use the Internet, the greater the risk of becoming a target. However, service providers such as cloud storage, social networks and security products work day and night to stay one step ahead of the threats and keep their users safe. If possible, exercise caution when going online and try not to let others lure you into content, however tempting, if you have any concerns about it.
|Ff.zip||Empty zip file||—|
|Ping.js||Used for whos.amungs.us analytics||—|
|Ping2.js||Used for whos.amungs.us analytics||—|
|ver.dat||Contains version: 1.5||—|