Breaking the new Facebook based latest malware

Hello,

Great to see all Readers back, Today (20/4/2016) Morning i Received one facebook message from my friend which Looked like a Image but it was infact an .html file. My first thought, obviously was that is was a Spear Phishing/ Worm Infection try as i rarely open any suspicious file which has been sent online. So as a Response, i asked the friend that, Have you clicked somewhere? Your account seems to be sending Spam messages. The guy was actually clueless about what happened, and than i decided to begin my research about that .html File.

Facebook Worms are not new, there has been increase of infections which are spread by Social Networking sites as it is the best way to spread Malwares. Lot’s of Malwares in the past have targeted facebook’s user by Spear Phishing and it’s increasing as more people are connected with each other. The previous known Worms were a Youtube like link Malware, XClips worms, Malware that Messages and Spread itself . Facebook has tried to keep the users alert about such scams and worms but most non-technical users don’t know about that, and it’s a hard way to stop such Spams.

latest-facebook-phishing-scam-targets-video-users

Now, Coming back to the Topic. I would like to Discuss more about the Virus which i Explored today, So while Downloading it, Facebook gave an alert “Opening potentially unsafe attachment”, i just downloaded the File.

 

malware2

There was an html File which was named as V1de0-4816.html

SHA-256 : 77882c4bf359a1b1d51f13ec491c3af17fc19e5c8208a28a762d8f7b6c4be117

I tried to see whether it was a known Virus or Not, and checked it with Virus Total. The Results were as below

malware1

 

Out of 56 Anti-virus only Rising Detected the file as malicious and Gave it a name of HTML: Malware.Strealer!8.EF [F] , So it was Confirmed that the file could be a malware with the name Strealer. 🙂 And it’s FUD at the time of writing the blog.

Now, i tried to see the source code of the html file, It was HTML Encoded and looked like

malware3

Goodness Gracious Me ! Now, i Decoded the Format and here it how it looked after Decoded, this is a Common way How suspicious scripts are packed and The html File runs a Javascript.

malware6

As you can see, there is a Iframe, which points to a Server at s3-eu-west-1.amazonaws.com and a Page which acted like a File Dropper which gets Executed once it’s download. I tried changing user agents and Downloaded to know about the Working mechanism, the result remained the same. At first glance, this looked to be a Exploit Kit (EK) or a Drive By CRX Downloader to me, i have faced such similar and more complicated EK’s like this. There are Some meta tags which also gives juicy information regarding the Server.  Good enough ? Not yet !!

I started the Static Analysis of the File, and found out some information regarding the File and Malware. The YARA was not Matched.

116aa479619cdf87823e1f57bd5ff7f5707a17e4010368210b11d71836d479ec

Moving Further, i carried Dynamic analysis by which i Found out that there were two Files which run in the Background after the Execution, one was a iexplore.exe which had a Process ID of  1320 in My case and a child Process rundll32.exe with ID of 260. In the first look, the iexplore.exe Executable looks to be Legit as the real iexplore.exe is a Windows Explorer Process. But, as virus propagators are Naughty, they named the Process same name and which Runs even if Microsoft Windows Explorer doesn’t run. Sounds More complicated Now?  Analyising the File further, the Executable contained the ability to block user input and Anti-Debugging trick in place. Hook detections were also noticed. It also check the Browser’s History and cookies.

Screen Shot 2016-04-20 at 4.58.35 PMSome Evident takeaways after Analyzing the Executable Sample was it makes it’s place in the Registry so that whenever the PC is Started, the File Starts executing.

Targetting Chrome

Malicious Chrome extensions have been Targeting users since time. This also Happens in Our case, the Site actually has a Landing Page just like this, as soon as you open this (+18) Video Kind of Youtube Clone page appears, after few seconds it prompts to Downloads an Extension, the Name of Extension is “45to75” Extension

youtubevirys

So, when the User actually clicks on Add Extension, than that Malicious Extension gets added resulting into Worm Spread. For Novice User, this is how Extension look like. You must Remove it ASAP if you have Mistakenly installed that. The Typical Facebook Video malware lies in the .crx Extension of this. Currently, Google Has removed the Extension, but black Hat Hackers may upload it Anywhere.

Virus+Eiv_ring

How Worm works?

When it Gains access to your computer, the Worm start Sending The Message with the link to each and every of your Facebook friends unless Facebook Frame limit protection rules blocks it, Not only it sends the Message but also delete the sent message so that Victim gets no clue about what’s happening. This Happened with my Friend, One more thing i Noticed that it Posted a Site link having a D-Grade Xclips content to Lure people and Tagged his Friends in the Post. Repeatedly, 7-8 Facebook Post were Made from His account tagging all his Friends. This way, once the Victim clicks on the link same process happens to them and the chain continues.

Where this is all Coming From?

When i saw the post on my Friends wall, the Link was of a Website “http://lawexpertsindia.com”. The name sounds so legit, but it isn’t. I found out that the domain has been Registered on 19th April 2016 (The day before i Wrote this blog) , So it might be the person’s Day 1 of Infecting. The website Title is Unique to beat the Google Bots and Registrant of the Site name is Kaltrina Miftari . Never assume the Attacker is Fool that he registers site by His name, By Carding anything is possible Nowadays. Even the Name can be masked.

malware5

Removal:

The Malware/ Worm Could be Terminated once you close the Task called iexplore.exe in the Task Menu . It also suspends the Task tree, but in order to complete take it down you Need to Delete the File from the Location, Delete .tmp by where file was Download in %TEMP% , in %LOCALAPPDATA% the index.dat File and By Deleting the Files Registry in HKEY_LOCAL_MACHINE\software\windows\currentversion\shellcompatibility\Applications\iexplorer.exe. If using chrome, Delete any unknown Extension like “45to75” .

You can Still use CCleaner, most of Antivirus might Not work because the Detection Ratio of Strealer is highly low. But, If you are Beginner and Non-Technical , there is Nothing but to Restore Previous Windows Backup or To run Malwarebytes or any Good AV Scan as Last resort. Because i Never Trust AV in Detection 0Days.

In my Friend’s case, he downloaded an Executed a File from untrusted source and got trapped by this.

How to be Safe in Future ?

Information Security and Cyber security is a vast Field, even the Pro’s get Hacked, Frankly speaking there is nothing Called completely secured word Exist. But Precaution can be made.

  1. Don’t Download Untrusted File from Any source
  2. Don’t Open Suspicious Looking Message as it is a Way of Spear Phising
  3. Don’t add Harmful Apps on your PC, Mobile or on Facebook
  4. Don’t be a Click Bait guy.
  5. Enable Login Approvals
  6. Don’t use cookies and Regularly change Password
  7. Use Up to date AV and Browser
  8. Avoid links Which leads to survey, because it can be Drive By Method too
  9. Report if Any Malware found to Expert

There are still lot more way to be Secured, but it would require a Separate Posts. I Hope you Guys Liked the Post and Keep Sharing to help People Secure Themselves.  😀 I would add if there are any New updates regarding this Malware ! Till than Goodbye.

Thanks  🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s