Fake Chrome Flash Player extension targets Facebook users
The Dell SonicWall Threats Research team has received reports of a Trojan posing as a fake flash player targeting the Google Chrome browser. The malicious plug-in is being distributed through compromised legitimate websites whose URLs are posted as status updates on popular social networking sites, attracting unsuspecting users to install the update to view a video. The trojan installer uses the following icon:
Figure 1: Installer icon
Upon execution the Trojan creates a copy of itself into the following location:
- %APPDATA%net.exe [Detected as GAV: FBook.O (Trojan)]
It then downloads a zipped file containing additional components:
Figure 2: Downloading extcookbackup.zip from a remote server
The contents are then extracted into the following locations:
- %OSDRIVE%IntelNews[*random digits*]background.js - script that downloads an updated list from the server that gets appended to script1.js
- %OSDRIVE%IntelNews[*random digits*]favicon.ico
- %OSDRIVE%IntelNews[*random digits*]icon.png
- %OSDRIVE%IntelNews[*random digits*]manager.html
- %OSDRIVE%IntelNews[*random digits*]manager.js - script that manages Chrome cookies
- %OSDRIVE%IntelNews[*random digits*]manifest.json - Chrome extension's manifest file that provides information such as the name, version, icon and permisions used as seen in figure:3 below
- %OSDRIVE%IntelNews[*random digits*]popup.html
- %OSDRIVE%IntelNews[*random digits*]script1.js - script that will auto-"like" a list of facebook pages
It installs itself as a browser extension named "Flash Player" with the following permissions:
Figure 3: Fake Flash Player browser extension
It then terminates currently open Chrome browser sessions. And on restart, it downloads a script with an updated list of facebook fan pages:
Figure 4: Downloading an updated script from a remote server
Figure 5: Contents of the script showing a list of facebook fan pages
Once the Trojan detects an active Facebook login session, it "likes" a list of pages supplied by the malware author using the user's account. Although these "likes" will not be visible in the user's facebook timeline, it will be shown in the user's activity log. It does this periodically to ensure that the supplied list of facebook pages are in "liked" state for the active Facebook login session.
In order to start after reboot and to ensure that all components are continuously downloaded and updated the Trojan adds the following key to the registry:
- HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun [.NET] "%APPDATA%net.exe"
Visiting the remote server, we found the contact information of the malware author.
Figure 7: Remote server homepage
And based on this information, we found several posts from this author in underground forums and social networking sites promoting different advertising packages for page clicks, page likes and page views.
Figure 8: Malware Author Sample Ads
We urge our users to always be vigilant and cautious with installing unknown applications, browser extensions, addons or plugins, particularly if you are not certain of the source.
Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: FBook.O (Trojan)
- GAV: JS.FBLike (Trojan)