Facebook worm spreads by leveraging cloud services
Facebook users are in danger of having their computers turned in a bot by a worm that spreads via the social network.
The worm, identified as belonging to the Kilim malware family, ends on the victims’ computer after a series of links and redirections. According to Malwarebytes researcher Jerome Segura, it all starts with a message on Facebook linking to scandalous sex photos of teenagers.
The shortened ow.ly link leads to another one, which leads to an Amazon Web Services (AWS) page, which leads to a malicious site (videomasars.healthcare), which checks whether the victim is using a computer or mobile phone. If it’s the latter, they are redirected to affiliate pages for various offers. If they are on their computer, they are asked to download a file (Videos_New.mp4_2942281629029.exe) from a Box (cloud storage) account.
The file is a Trojan downloader and, when run, it downloads the worm component (a malicious Chrome extension) and additional binaries. It also creates a shortcut for Chrome that actually launches a malicious app in the browser directly to the Facebook website.
“In this “modified’ browser, attackers have full control to capture all user activity but also to restrict certain features,” Segura explains.
“For example, they have disabled the extensions page that once can normally access by typing chrome://extensions/, possibly in an attempt to not let the user disable or remove the malicious extension.”
The worm finally posts and sends the initial lure message to victims’ Facebook friends, aiming to start another, or hopefully more, infection cycles.