Fake Chrome Flash Player extension targets Facebook users

January 3, 2014

The Dell SonicWall Threats Research team has received reports of a Trojan posing as a fake flash player targeting the Google Chrome browser. The malicious plug-in is being distributed through compromised legitimate websites whose URLs are posted as status updates on popular social networking sites, attracting unsuspecting users to install the update to view a video. The trojan installer uses the following icon:

Figure 1: Installer icon

Infection Cycle:

Upon execution the Trojan creates a copy of itself into the following location:

  • %APPDATA%net.exe [Detected as GAV: FBook.O (Trojan)]

It then downloads a zipped file containing additional components:

Figure 2: Downloading extcookbackup.zip from a remote server

The contents are then extracted into the following locations:

  • %OSDRIVE%IntelNews[*random digits*]background.js - script that downloads an updated list from the server that gets appended to script1.js
  • %OSDRIVE%IntelNews[*random digits*]favicon.ico
  • %OSDRIVE%IntelNews[*random digits*]icon.png
  • %OSDRIVE%IntelNews[*random digits*]manager.html
  • %OSDRIVE%IntelNews[*random digits*]manager.js - script that manages Chrome cookies
  • %OSDRIVE%IntelNews[*random digits*]manifest.json - Chrome extension's manifest file that provides information such as the name, version, icon and permisions used as seen in figure:3 below
  • %OSDRIVE%IntelNews[*random digits*]popup.html
  • %OSDRIVE%IntelNews[*random digits*]script1.js - script that will auto-"like" a list of facebook pages

It installs itself as a browser extension named "Flash Player" with the following permissions:

Figure 3: Fake Flash Player browser extension

It then terminates currently open Chrome browser sessions. And on restart, it downloads a script with an updated list of facebook fan pages:

Figure 4: Downloading an updated script from a remote server

Figure 5: Contents of the script showing a list of facebook fan pages

Once the Trojan detects an active Facebook login session, it "likes" a list of pages supplied by the malware author using the user's account. Although these "likes" will not be visible in the user's facebook timeline, it will be shown in the user's activity log. It does this periodically to ensure that the supplied list of facebook pages are in "liked" state for the active Facebook login session.

Figure 6: Sample Facebook activity log of a victim account
figure 5: Contents of the script showing a list of facebook fan pages

In order to start after reboot and to ensure that all components are continuously downloaded and updated the Trojan adds the following key to the registry:

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun [.NET] "%APPDATA%net.exe"

Visiting the remote server, we found the contact information of the malware author.

Figure 7: Remote server homepage

And based on this information, we found several posts from this author in underground forums and social networking sites promoting different advertising packages for page clicks, page likes and page views.

Figure 8: Malware Author Sample Ads

Figure 8: Malware author Ad 1 Figure 9: Malware author Ad 2 Figure 10: Malware author Ad 3

We urge our users to always be vigilant and cautious with installing unknown applications, browser extensions, addons or plugins, particularly if you are not certain of the source.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: FBook.O (Trojan)
  • GAV: JS.FBLike (Trojan)