Thursday, January 09, 2014

Dissecting the Ongoing Febipos/Carfekab Rogue Chrome/Firefox Extensions Dropping, Facebook Circulating Malicious Campaign


And, (not surprisingly) they're back! The cybercriminal(s) behind the 1 million+ clicks strong Febipos/Carfekab rogue Chrome/Firefox extensions dropping malicious campaign, continue utilizing the already infected 'population' for the purpose of disseminating the newly packed/modified extensions/samples across Facebook, with yet another campaign that I'll dissect in this post.

Catch up with previous research dissecting the previous campaigns:

Redirection chain: hxxp://GXOMZRC.tk/?74604844 (93.170.52.34) -> hxxp://wqeuijlks.igg.biz/?asdjas22222222222222 (88.198.132.3) -> hxxp://prostats.vf1.us/s.htm -> hxxp://vidsvines.com/d/ -> hxxp://vidsvines.com/d/firefox ->
hxxp://vidsvines.com/d/ch/ -> hxxp://vidsvines.com/d/ch/profile2.html (192.157.201.42)

First GA Account ID: UA-23441223-3
Second GA Account ID: UA-25941572-1


Actual malicious content hosting locations (legitimate infrastructure again):
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFgyZzFzR1o3YTQ&export=download
hxxps://dl.dropboxusercontent.com/s/tj9n05qhjvnkg4s/whoviewsfam.xpi


Detection rates for the served rogue Chrome/Firefox extensions:
MD5: 0ee44443c73bd9b072c7f1dbb6b7b591
MD5: c4953f63ab46c796e23388f9c1cfa273
MD5: 5bcec283594e863f5dd238e2d22446c7


Once executed, MD5: 5bcec283594e863f5dd238e2d22446c7 drops MD5: deb483270b9ed5da7fcf1d01a6fde8a7 and MD5: 90b77a477d815c771559d08ea80cc0c8 it then phones back to 212.117.32.20.


Related malicious MD5s known to have phoned back to the same IP:
MD5: 33408f35623dc5bb4a3bde09fa45f86b
MD5: 56a54a700ae5700c3cd3da9c2ad226cf
MD5: f86812305039156b1da8fc29bdddebb7
MD5: ede8f20d78a81c7da76ad7def37ebbdd

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.