Social networks represent a privileged attack vector for malware-based attacks, a recent investigation conducted by by the security researcher Mohammad Faghani revealed the existence of a Trojan is circulating among Facebook users. According to the researcher, the Trojan has already infected nearly 110,000 Facebook users in two days by spreading itself through malicious link.
Faghani explained that the Facebook Trojan spreads itself by posting links to a pornographic video from the account of unaware victims that have been previously infected.
The trojan tags the infected user’s friends in an enticing post. When users open the post, the user will see a preview of a porn video which eventually stops and asks for downloading a (fake) flash player to continue the preview, unfortunately the bogus application is the downloader of the Facebook Trojan.
To remain under the radar, the Facebook Trojan tags less than 20 user in each round of post, Faghani explained that the malware can manipulate keystrokes and mouse movement.
The researchers also added that this malware adopts a new technique in the threat landscape dubbed “Magnet” that consists in tagging the friends of the victim in a the malicious post.
“This trojan is different from the previous trojans in online social network in some techniques. For instance, the previous trojans sent messages (on behalf of the victim) to a number of the victim’s friends. Upon infection of those friends, the malware could go one step further and infect the friends of the initial victim’s friends. In the new technique, which we call it “Magnet”, the malware gets more visibility to the potential victims as it tags the friends of the victim in a the malicious post. In this case, the tag may be seen by friends of the victim’s friends as well, which leads to a larger number of potential victims. This will speed up the malware propagation.”
One of the indicators of compromise is the existence of the chromium.exe in the Windows processes.
Faghani is still investigating on this Facebook Trojan and will provide further details via Full Disclosure in the next weeks.
The MD5 of the executable file (fake flash player): cdcc132fad2e819e7ab94e5e564e8968
The SHA1 of the executable file (fake flash player): b836facdde6c866db5ad3f582c86a7f99db09784
The fake flash file drops the following executables as it runs: chromium.exe,
(Security Affairs – Facebook Trojan, social network)