And, (not surprisingly) they're back! The cybercriminal(s) behind the 1 million+ clicks strong Febipos/Carfekab rogue Chrome/Firefox extensions dropping malicious campaign, continue utilizing the already infected 'population' for the purpose of disseminating the newly packed/modified extensions/samples across Facebook, with yet another campaign that I'll dissect in this post.
Catch up with previous research dissecting the previous campaigns:
- Facebook Circulating 'Who's Viewed Your Profile' Campaign Exposes 800k+ Users to CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush
- Continuing Facebook "Who's Viewed Your Profile" Campaign Affects Another 190k+ Users, Exposes Malicious Cybercrime Ecosystem
Redirection chain: hxxp://GXOMZRC.tk/?74604844 (220.127.116.11) -> hxxp://wqeuijlks.igg.biz/?asdjas22222222222222 (18.104.22.168) -> hxxp://prostats.vf1.us/s.htm -> hxxp://vidsvines.com/d/ -> hxxp://vidsvines.com/d/firefox ->
hxxp://vidsvines.com/d/ch/ -> hxxp://vidsvines.com/d/ch/profile2.html (22.214.171.124)
First GA Account ID: UA-23441223-3
Second GA Account ID: UA-25941572-1
Actual malicious content hosting locations (legitimate infrastructure again):
Detection rates for the served rogue Chrome/Firefox extensions:
Once executed, MD5: 5bcec283594e863f5dd238e2d22446c7 drops MD5: deb483270b9ed5da7fcf1d01a6fde8a7 and MD5: 90b77a477d815c771559d08ea80cc0c8 it then phones back to 126.96.36.199.
Related malicious MD5s known to have phoned back to the same IP:
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.