Facebook Worm Lures with Promise of Smut Content, Delivered via Box Cloud Storage

Status
Not open for further replies.

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
A new worm has been detected spreading on Facebook via a complex redirect scheme that involves Amazon Web Services receiving the malware downloader that is hosted in an online storage account from Box cloud services.

As soon as the computer of a Facebook user becomes infected, the worm starts sending alluring messages to all the friends in the victim’s list, promising access to adult videos.

Complex redirect scheme lands Trojan on victim's computer
During the URL redirection procedure, the browser agent and computer platform are verified, and in the case of mobile devices, the user is steered to pages that display advertisements or localized spam content.

“The bad guys have built a multi-layer redirection architecture that uses the ow.ly URL shortener, Amazon Web Services and Box.com cloud storage,” Jerome Segura of Malwarebytes said in a blog post on Thursday.

The infection scheme starts with a shortened URL that leads to another, which in turn loads an Amazon Web Services page.

The next step is to take the victim to a malicious website responsible for filtering the users; those browsing from mobile receive ads, while desktop users receive a download request for a Trojan stored in Box’s cloud.

Executing the Trojan, detected by Malwarebytes products as Trojan.Agent.ED, concludes the infection cycle as it adds the worm to the computer from the domain porschealacam[.]com.

Rogue shortcut for Chrome browser created
According to Segura, the worm poses as an extension for Google Chrome and it has a poor antivirus detection; at the moment of writing, Virus Total lists only one product that marks it as a threat.

He says that some extra code is downloaded by the Trojan from a different domain, probably as backup plan if the user does not browse with Chrome.

Apart from the rogue extension, the malware creates a shortcut to launch Chrome with the “-load-and-launch-app” parameter; calls a malicious app and loads Facebook’s website.

Segura says that the rogue browser allows the attackers to capture all user activity and restricts access to the list of extensions, thus preventing the victim from disabling the threat.

Operation can be re-deployed
Some of the URLs used by the cybercriminals for this operation have already been disabled, but they can always be replaced with others from different services.

The threat actor in this case has put in a lot of effort to set up a scheme that can be re-deployed with different lures, relying on legitimate services.

Users on Facebook or other social networking community are advised to exercise care when receiving links that seem suspicious, even from individuals from the list of contacts
 

omidomi

Level 71
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,001
Congrate to F-Secure :D
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top