\e have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A. The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox.
When installed, it attempts to update itself using the following URLs:
Chrome browser:
du-pont.info/updates/<removed>/BL-chromebrasil.crx
Mozilla Firefox browser:
du-pont.info/updates/<removed>/BL-mozillabrasil.xpi
Note: Updated versions of this threat have been verified and are still detected as Trojan:JS/Febipos.A.
To begin with, this Trojan monitors a user to see if they are currently logged-in to Facebook. It then attempts to get a configuration file from the website <removed>.info/sqlvarbr.php. The file includes a list of commands of what the browser extension will do.
Depending on the file, this malware can do any of the following in the Facebook profile of an infected system:
- Like a page
- Share
- Post
- Join a group
- Invite friends to a group
- Chat to friends
- Comment on a post
At the time of writing this blog, we have also seen the following behavior.
The configuration file contains a command to post the following message in Facebook:
- GAROTA DE 15 ANOS VÃTIMA DE BULLYING COMETE SUICÃDIO APÓS MOSTRAR OS SEIOS NO FACEBOOKVìdeo no link abaixo:<Currently unavailable link>
It is written in Portuguese and here’s an English translation:
- 15 YEAR-OLD VICTIM OF BULLYING COMMITS SUICIDE AFTER SHOWING HER BREASTS ON FACEBOOK.Video on the link below: <Currently unavailable link>
The above URL is unavailable and already blocked by Facebook.
We also found this threat tries to "like" and "comment" on a Facebook page:
ليست هناك تعليقات:
إرسال تعليق