Facebook Malware infected more than 110K users and is still rising

Facebook Malware

A new Facebook Malware in the form of a Trojan is infecting hundreds of thousands of  Facebook users in only two days.

The trojan works by tagging the infected user’s friends in an enticing post. When they open the post, the user will get a preview of a porn video which plays for a short while before stopping and asking the user to download a (fake) flash player to continue the preview. The fake flash player is the downloader of the actual malware.

This trojan is slightly different from previos social network related Malware. For example, the previous trojans sent messages (on behalf of the victim) to the victim’s friends. When the friends were infected, the malware could go one step further and infect the friends of the initial victim’s friends.

In the new technique, which has been coined by Seclists as “Magnet”, the malware gets more visibility to the potential victims as it tags the friends of the victim in a the malicious post. In this case, the tag may be seen by friends of the victim’s friends as well, which leads to a larger number of potential victims. Thus speeding up malware propagation.

There is an temporary solution for identifying the Malware from Seclist, this information might come in handy:

The MD5 of the executable file (fake flash player):
cdcc132fad2e819e7ab94e5e564e8968
The SHA1 of the executable file (fake flash player)
: b836facdde6c866db5ad3f582c86a7f99db09784
The fake flash file drops the following executables as it runs:
chromium.exe, wget.exe, arsiv.exe, verclsid.exe.

The malware is able to hijack keyboard and mouse movement from an initial investiagation from Seclist

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Glove Stealer Emerges A New Malware Threat For Browsers

ANY.RUN Discovers Tricky Phishing Attack Using Fake CAPTCHA

4 comments

Rosalind Sanders February 14, 2015 - 6:31 pm
U.S. Tech Support says they work for Facebook. So when I told them I had picked up a virus from Facebook, why were they totally in the dark about this malware, insisting I had gotten infected from my IE homepage? More to the point, why didn't they warn their customers ahead of time, and then update their virus-killers beforehand?
Ed Torres January 31, 2015 - 4:53 pm
Looks like verclsid.exe is a legit software from Microsoft: http://www.liutilities.com/products/wintaskspro/processlibrary/verclsid/
Karusai January 30, 2015 - 6:08 pm
The real question, Brendan, is why are you trying to download an anti malicious tool for Android onto your Microsoft Government Office Computer?
Brendan Yates January 30, 2015 - 1:17 pm
So why are FB insisting we download ESET scanner, my government computer is saying it is spyware itself?

Comments are closed.

Add Comment