"Recently a Microsoft blog was released describing a new Facebook Trojan classified as JS.Febipos.A by
several AV vendors. Febipos is currently active in Brazil and takes
control of your Facebook profile using a Firefox and/or Chrome extension
that’s installed during execution. I managed to obtain several copies
of the Febipos executable, which uses Facebook-like icons in an attempt
to appear legitimate, along with being signed by digital certificates
from ‘Updates LTD’.
'According to Microsoft’s report, Febipos beacons to a C2 server and receives the following commands:
- Liking a page
- Sharing a post
- Posting messages
- Joining a group
- Inviting your friends to a group
- Sending messages and links via chat
- Commenting on posts
Febipos is packaged in a self-extracting archive (SFX) and is coded to silently install into the user’s temporary directory (%temp%). The Trojan’s main component is called ‘fbinstupd.exe’, appearing to be shorthand for ‘Facebook Install Update’. All program strings are in Portuguese, Brazil’s official language.
Upon execution you’ll also get a confirmation dialog that translates to ‘Installation completed successfully!’ Glad to know there weren’t any errors =)
In the image below, you’ll also see the results from a regshot capture; notice the installed Firefox extension that was place in my profile directory. The Chrome extension was dropped in the %temp% directory along with the Trojan and another PE file.
Febipos’ main component is heavily armored, and was passed through a software protection system known as ‘Obsidium’. You can check it out at http://www.obsidium.de/ for more information. While many programs like Obsidium, VMProtect, Themida, intend to protect commercial software products from piracy and reverse-engineering, they’re also used frequently to fortify malware. This has caused some AV vendors to flag files as malicious if they’re been processed by these protection systems.
Unfortunately, I couldn’t get a copy of Febipos that still had a live C2 server, so I wasn’t too interested in doing any further analysis; however, Febipos along with Facbook scams attest to the fact that social media has come under heavy fire from blackhat cyber-criminals. As platforms like Facebook and Twitter allow everyone to be constantly connected, hackers have a new way to ‘connect’ with us.
On underground forums, for instance, it’s very common to see posts offering techniques to hack accounts, generate likes, etc. A lot of these tricks involve social engineering and sometimes exploiting Facebook’s password recovery options.
This has brought about a whole new market for many, who buy and sell Facbook traffic to the highest bidder. If you remember back in January I did a post on Malwarebiter, a Malwarebytes imitator with a Facebook page containing a suspicious number of likes, probably attributed to this kind of behavior.
With that being said, a word to the wise for our readers: safeguard your social media accounts like you would your email account, bank account, or other online account containing personal information. As sites like Facebook continue to integrate into much of our lives, we find that it’s used for much more than stating what’s on our minds. Now we can login to other websites with our Facebook credentials, and sites like Twitter allow us to retrieve news that may influence our everyday decisions. For example, the Associated Press (AP) Twitter account hack of last month briefly impacted the stock market, causing a noticeable drop in the DOW after a fabricated tweet of White House explosions.
What’s more, the threat of malware targeting social media is becoming more apparent, as evidenced by Febipos. While current threats like Febipos are isolated and aren’t capable of doing irreparable harm, Facebook malware is still in its infancy stages, and is sure to advance given ample time. Reports are already surfacing of users creating Facebook botnets, leveraging the power and connectivity of social media to do their dirty work.
However, in Facebook’s defense, the social media giant hasn’t remained quiet amidst the attacks on its users. In recent times, there have been many security updates to password recovery, account creation, and a huge crackdown on fake profiles. Today if you created a new Facebook profile, you’d notice you have to verify who you are, not only with a captcha, but by providing a phone number to retrieve an SMS code needed for account activation.
Read More: http://blog.malwarebytes.org/intelligence/2013/05/brazilian-facebook-trojan-and-consumer-security/
'According to Microsoft’s report, Febipos beacons to a C2 server and receives the following commands:
- Liking a page
- Sharing a post
- Posting messages
- Joining a group
- Inviting your friends to a group
- Sending messages and links via chat
- Commenting on posts
Febipos is packaged in a self-extracting archive (SFX) and is coded to silently install into the user’s temporary directory (%temp%). The Trojan’s main component is called ‘fbinstupd.exe’, appearing to be shorthand for ‘Facebook Install Update’. All program strings are in Portuguese, Brazil’s official language.
Upon execution you’ll also get a confirmation dialog that translates to ‘Installation completed successfully!’ Glad to know there weren’t any errors =)
In the image below, you’ll also see the results from a regshot capture; notice the installed Firefox extension that was place in my profile directory. The Chrome extension was dropped in the %temp% directory along with the Trojan and another PE file.
Febipos’ main component is heavily armored, and was passed through a software protection system known as ‘Obsidium’. You can check it out at http://www.obsidium.de/ for more information. While many programs like Obsidium, VMProtect, Themida, intend to protect commercial software products from piracy and reverse-engineering, they’re also used frequently to fortify malware. This has caused some AV vendors to flag files as malicious if they’re been processed by these protection systems.
Unfortunately, I couldn’t get a copy of Febipos that still had a live C2 server, so I wasn’t too interested in doing any further analysis; however, Febipos along with Facbook scams attest to the fact that social media has come under heavy fire from blackhat cyber-criminals. As platforms like Facebook and Twitter allow everyone to be constantly connected, hackers have a new way to ‘connect’ with us.
On underground forums, for instance, it’s very common to see posts offering techniques to hack accounts, generate likes, etc. A lot of these tricks involve social engineering and sometimes exploiting Facebook’s password recovery options.
This has brought about a whole new market for many, who buy and sell Facbook traffic to the highest bidder. If you remember back in January I did a post on Malwarebiter, a Malwarebytes imitator with a Facebook page containing a suspicious number of likes, probably attributed to this kind of behavior.
With that being said, a word to the wise for our readers: safeguard your social media accounts like you would your email account, bank account, or other online account containing personal information. As sites like Facebook continue to integrate into much of our lives, we find that it’s used for much more than stating what’s on our minds. Now we can login to other websites with our Facebook credentials, and sites like Twitter allow us to retrieve news that may influence our everyday decisions. For example, the Associated Press (AP) Twitter account hack of last month briefly impacted the stock market, causing a noticeable drop in the DOW after a fabricated tweet of White House explosions.
What’s more, the threat of malware targeting social media is becoming more apparent, as evidenced by Febipos. While current threats like Febipos are isolated and aren’t capable of doing irreparable harm, Facebook malware is still in its infancy stages, and is sure to advance given ample time. Reports are already surfacing of users creating Facebook botnets, leveraging the power and connectivity of social media to do their dirty work.
However, in Facebook’s defense, the social media giant hasn’t remained quiet amidst the attacks on its users. In recent times, there have been many security updates to password recovery, account creation, and a huge crackdown on fake profiles. Today if you created a new Facebook profile, you’d notice you have to verify who you are, not only with a captcha, but by providing a phone number to retrieve an SMS code needed for account activation.
Read More: http://blog.malwarebytes.org/intelligence/2013/05/brazilian-facebook-trojan-and-consumer-security/
No comments:
Post a Comment
[Warning: These emails are spam. Do not click on any links contained with the body of junk email if you receive this in your inbox. What is email spam?]
Note: Only a member of this blog may post a comment.