Categories

Security Threat

Malicious Messages Foray Facebook

In yet another method for cyber criminals to utilize the world’s most popular social networks for their own nefarious purposes, it appears a trojan is circulating through Facebook, stealing accounts and (probably) taking creds.

Thanks to the vigilant mind of Malwarebytes User, Showbizz, we were able to take a look at this new threat and what it could mean for the rest of the net.

Here is how it works:

  1. User gets a Facebook instant message from a friend of their’s, which includes the words ‘lol’ and a file waiting to be downloaded.
  2. The user downloads the file because they can assume it can be trusted.  The filename matches the usual filename of a photo: ‘IMG_xxxx’.zip.
  3. Once downloaded, the user unzips the file and clicks on what they assume is an image file, still called IMG_xxxx.jar
  4. The JAR file executes, downloads malware and infects the system.
  5. The infected users Facebook account is compromised and then used to send more malware to the users friends.

Unlike previous versions of this scam, it is almost like the cyber criminals decided to make an amalgam of different infection tactics to obtain the normal goal.

The first is the use of instant messaging, we have seen plenty of malware use instant messaging in various forms to send malicious files to victims, including Skype, MSN, Yahoo, etc.

Chat

The second is the use of the text ‘lol’, which is really nothing more than a clever hook to make the user open the file. Similar attacks have been performed using terms like ‘omg, is this you’ or ‘I can’t believe someone posted this’.

The purpose is to catch the attention of the user and surprisingly, in our world of fast paced information consumption, something as simple as ‘lol’ from a friend, is enough to slow us down.

The third is the use of the ZIP format to hide it, the user downloads the ZIP file from the attacker (or compromised account) and has to unzip it in order to find the actual malicious file.

Zip

The fourth is the use of a JAR file, or java file.  Usually we only see this kind of method used on drive-by attacks, where the Java is used to exploit the system and execute the malware. In this case, the java file (not inherently malicious on its own) reaches out and downloads the actual malware from a remote Dropbox account.  It then installs the malware as a service on the system, silently.

Code

The malware installed is currently being analyzed as to its exact purpose but we can say for sure that it is some kind of trojan that injects into legitimate processes currently running on the victims’ system.

VT

VirusTotal has a detection rate of 27/50 currently.  If anyone wants to dig deeper into these samples please feel free:

The origin of the threat is also currently under investigation however some of the text found within the Java file leads us to believe it was developed by someone who speaks Greek.

So how do you protect yourself from this? Easy, don’t download the file.

If you get any kind of file download request from a friend without prompt or warning, ask your friend what the file is before opening it, if they respond with ‘lol, this is my cat wearing his new hat, you’ve got to see this!’ or something else in kind, then proceed.

If they don’t respond or they say ‘I dunno, I didn’t send that’ then go ahead and suggest your friend run an AV scan and change their Facebook passwords, in that order.

Thanks for reading and safe surfing!


  • whorider

    Multi-Platform jar? Or windows only?

  • Adam Kujawa

    Windows only since it installs the malware into the C:\Temp folder.

  • whorider

    Thanks, missed that.

  • Pingback: Alert: A trojan is circulating through Facebook | Loren on CyberSecurity

  • Pingback: Malicious Messages Foray Facebook | Computers a...

  • https://www.facebook.com/showbizz Carsten Carlsen

    It seems that a new variant is spread..

    Still via fb inbox.,,With the contents
    LOL
    IMG_xxxxxx.zip

    It still contain the Jar file in the packed zip.
    Dropbox link is changed, I got luck to download the new module.dat
    It seems that the file size is changed compared with the first one..

    if the jar file is activated.. Then it normally drop a file in the infected pc’s
    c:/TMP folder – a file called hellmans.dat

    The new one drop a file under c:/TEMP, now the file is asdfrr.dat

    We are still try to figure out, where it came from…

    // Showbizz

  • https://www.facebook.com/zallenair Zachary Allen

    @Carsten

    Can you provide a download link to the message? I believe I found two more variants and was wondering if we found the same one

  • https://www.facebook.com/showbizz Carsten Carlsen
  • https://www.facebook.com/steve.pobuda Steve Pobuda

    I got this the other day..just like its posted for the example lol (with attachment). Luckily my virus protection caught it. My friend later contacted me appologies and letting me know their accunt was hacked by that Malware.

  • Pingback: OPREZ: Trojanac se širi preko Facebook poruka | Grocka Info

  • https://www.facebook.com/xarlesh Andreas Gößnitzer

    Just stumbled across this thread while doing research on a strange
    .jar file I caught 2 days ago. Its exactly the same thing, text message saying
    “lol”, with an attached .zip file with a file called image410.jar in it.

    Now my question: is this whole thing still going round? I ran Anti-Malware directly afterwards, but still can´t say for sure if its gone or not. And if the answer is yes,
    wanna check that version out?
    Sorry for asking stupid questions, am just not used having to worry about crap like that…usually; i dont accept anything, but they caught me this time, because it came from the only english speaking person on my friend list…

  • Adam Kujawa

    Andreas, It’s possible if you executed the Jar that it didn’t infect your system, maybe the remote file that it wanted to download was unavailable. If you still have the jar file, I would be glad to take a look at it. Thanks for the comment!

  • https://www.facebook.com/xarlesh Andreas Gößnitzer
  • hi78615

    Hii.Adam..Thanks for sharing the info..But I saw it late & since it came from a friend I clicked on it In March 2014..Then later I deleted jar file from my system,Ran Anti Virus scan for my system,Cleared browsing history, tried to clear %Temp% folder -all files got deleted except one with the name “rnd.dat” it is a dat file of 1 kb with the same date on which I downloaded the zip file-it is not getting deleted – says file is open in another program. I tried deleting it in safe mode it got deleted but re appeared again.. Can this file be a threat or virus???
    If yes then how to get rid of this???

    Also yesterday from my facebook account again this Lol Zip message was sent to my friends. I had not clicked on any message or link. I dont know how it is getting forwarded again & again on my name. I had changed my password also in march post 1st attack when I read about this malware. How to fix this???So that again next week or next month it is not circulated from my fb account.

    Thanks …
    Awaiting your reply…

  • Adam Kujawa

    Hey there Hi.
    First thing, log into your FB from a different computer/device and change the password, you might also consider activating their Two Factor Authentication feature. Next, take everything you told me, and create a new thread on our support forums, those guys will walk you through checking out that dat file and getting rid of it =D. Good luck!

    https://forums.malwarebytes.org/index.php?showforum=7

    Adam

  • srikanth

    Unfortunately I have downloaded the file and my pc is infected. I just run my AV and moved the infected files to the chest in AVAST. Can anyone suggest how to completely remove this TROJAN?

    Suggestions would be appreciated.

    Thanks,
    Sri

  • Pingback: OPREZ: Trojanac se širi preko Facebook poruka | REGIJA DOBOJ JUGA

  • https://www.facebook.com/n.sindhuja.89 Sai Nadiminti

    what if i already downloaded it n tried to open n it does not open??? what now???

  • Adam Kujawa

    Hey Sai, if it didn’t open then fantastic however it’s best to run an AV scan using whatever antivirus product you prefer and a scan with Malware Anti-Malware (The free version should do fine if you don’t already own it). In addition to that, I would keep an eye on your Facebook activity and if anyone mentions that your account is doing anything out of the ordinary then I would change the password of your FB account from a different system and not log in again on your own computer until you can be sure the threat is gone. Good luck!

    Adam

  • https://www.facebook.com/wildwelshwoman Linda Hall

    Twice today a zip file arrived in my inbox and started spooling through my friends list. I didn’t even open the file but it infiltrated my list anyway. Tried doing two full scans using two different anti-virus programs but neither detected anything. Is there anything a Facebook user can do to prevent these Trojans from getting into the inboxes to begin with?

  • https://www.facebook.com/BrandonYoung343 Brandon Young

    When running the Malware-Bytes scan I found two Backdoor files. I have a “Snip” of the files if you want it. But I’m not too sure if you want it because of this situation. :/

  • Siva kanth Sharma

    i downloaded and opened one such file. i found the files in the temp folder and deleted them and the original jar file. but i noticed that some program is running in the background using atleast 50 % of the cpu. i tried finding it in task manager, but it shows no out-of-place processes & programs. i read in one other site, to delete a key in the registry, but i found no such key. what should i do?

  • Pingback: LOL.zip continua a fazer vítimas no Facebook | INFORSALVADOR

  • Pingback: Virusi u porukama preko Facebook-a | Virsto Marketing Škola

  • Pingback: LOL jar file malware just goes viral through facebook messages | Satellite-Iptv-Hacking & Security News

  • karl

    Hello. I’m currently playing with such a malware. It seems to have changed a bit (it obviously has been obfuscated http://pastebin.com/1qUjjHKn).

    The malware now uses a rather large set of dropbox links and tries to find one that’s still valid (2xx HTTP response). It downloads it to C:\Temp\DVUXW.CFG. Then it adds the malicious file to the Microsoft Register Server.

    Here’s an output I generated from the source code. http://pastebin.com/4BXRwPCT

    Regards,

  • karl

    This is silly. The executable I downloaded and examined a bit seems to embark minerd. It’s probably just a bitcoin miner malware spreading through Facebook.

    Looks pretty well-designed to me for such a purpose though. Must be a juicy buisness.

  • Adam Kujawa

    Hey Karl, the payload executable most definitely changes depending on the purpose of the attacker. So it’s possible that what you found might be just a miner but what other people have experienced is something completely different. This certainly puts a new spin on the story though, thanks for the input!

  • Thomas Barr

    I recently ran the recommended anti virus software to get rid of this malware. I never clicked on it. But……….it seems to have got into the system via the applications. Not the passwords. I use rather long passwords and typically string several random things together. I changed these about 2-3x a week now. I run the anti virus scans every 2-3 days, they do not pick up any new threats/viruses. I also closed and deleted the app’s. But…………..they continue to send out the files from my contacts. Given everything I have read, I have done everything correctly to avoid it, yet it’s still going after the contacts list. I even wiped the disk. The app’s have virtually no security. I noticed even after wiping those all out, a few days later, I have a new one automatically installed, “Social media cam.” Deleted that asap also. I would have never caught it. This is one of the more annoying viruses.

  • https://www.facebook.com/swapniljoshi92 Swapnil Joshi

Subscribe to our YouTube Channel