Monday, June 10, 2013

Malware-Serving "Who's Viewed Your Facebook Profile" Campaign Spreading Across Facebook


A currently ongoing Facebook spreading malware-serving campaign, entices users into downloading and executing a malicious executable, pretending to be a "Who's Viewed Your Facebook Profile" extension. In reality though, the executable, part of a campaign that's been ongoing for several months, will steal private information from local browsers, will auto-start on Windows starup, and will attempt to infect all of the victim's friends across Facebook.

The executable, including several other related executables part of the campaign, are currently hosted on Google Code, and according to Google Code's statistics, one of the malicious files has already been downloaded 1,870,788 times. Surprisingly, the Coode Project is called "Project Don't Download". Very interesting self-contradicting social engineering attempt.

Let's dissect the campaign, list the domain's portfolio used in it, provide detection rates for the malicious executables, and connect the campaign to multiple other campaigns observed in the wild over the last couple of weeks.

 

Sample redirection chain:
hxxp://cnlz3.tk/?2959858 -> hxxp://profilelo.8c1.net/ -> hxxp://profileste.uni.me/?skuwjjsadsuquwhdas -> hxxps://project-dont-download.googlecode.com/files/Profile%20View%20-%205v2.exe

Subdomain reconnaissance:
profilelo.8c1.net - 82.208.40.3
profileste.uni.me - 198.23.52.98
project-dont-download.googlecode.com - Email: mergimi14@live.com

Detection rate for the malicious executable: MD5: c5b2247a37a8d26063af55c6c975782d - detected by 23 out of 47 antivirus scanners as JS:Clicker-P [Trj]; RDN/Generic.dx!chs

Once executed, the sample drops the following MD5s on the affected hosts:
MD5: 3729796a618de670128e80bb750dba35
MD5: bc5ea93000fd79cf3d874567068adfc5
MD5: 3448d5a74e86fdc88569df99dbc19c55
MD5: c3c67c3df487390dfdfa4890832b8a46
MD5: 161fff31429f1fcd99a56208cf9d2b58
MD5: c8dfbeb2e89a9557523b5a57619a9c44
MD5: b83d2283066c68e8cc448c578dd121aa
MD5: 0e254726843ed308ca142333ea0c5d28
MD5: cbb6e03d0b08ba4a8eeac1467921b7dd
MD5: a3ef72a0345a564bde3df2654f384a21
MD5: 123c9d897b74548aa6ce65b456a8b732
MD5: 181f01156f23d4e732a414eaa2f6b870
MD5: 74d4b4298bc6fe8871ad1aa654d347c6




Download statistics for the malicious executables hosted on Google Code:
Profile Viewer - 5.exe - 1,870,788 downloads
Profile Stalker - V.exe - 45983 downloads
Profile View - 5v2.exe - 9496 downloads
Profile Stalker - D.exe - 2 downloads

Detection rates for the malicious executables hosted on Google Code:
Profile Stalker - D.exe - MD5: c9220176786fe074de210529570959c5 - detected by 3 out of 47 antivirus scanners as Trojan.AVKill.30538; JS/TrojanClicker.Agent.NDL
Profile Stalker - V.exe - MD5: a6073378d764e3af4cb289cac91b3f97 - detected by 24 out of 47 antivirus scanners as JS/TrojanClicker.Agent.NDL; Trojan.Win32.Clicker!BT
Profile Viewer - 5.exe - MD5: 814837294bc34f288e31637bab955e6c - detected by 24 out of 47 antivirus scanners as Troj/Agent-ABOE

Samples phone back to the followind URLs/domains:
hxxp://stats.app-data.net/installer.gif?action=started&browser=ie6&ver=1_26_153&bic=00A473047B09414785A7A54908970321IE&app=30413&appver=0&verifier=d3459d462f931be10f76456d86fe24d5&srcid=0&subid=0&zdata=0&ff=0&ch=0&default=ie&os=XP32&admin=1&type=1&asw=0

stats.app-data.net - 207.171.163.139
app-static.crossrider.com - 69.16.175.10
errors.app-data.net - 207.171.163.139

Facebook and Google have been notified.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.