We’ve recently intercepted a localized — to Bulgarian — malware campaign, that’s propagating through Facebook Wall posts. Basically, a malware-infected user would unknowingly post a link+enticing message, in this case “Check it out!“, on their friend’s Walls, in an attempt to abuse their trusted relationship and provoke them to click on the malicious link. Once users click on the link, they’re exposed to the malicious software.
Sample screenshot of the propagation in action:
Sample spamvertised URL appearing on Facebook users’ Walls:
Sample redirection chain:
hxxp://0845.com/fk7u -> hxxp://connectiveinnovations.com/mandolin.html?excavator=kmlumm -> hxxp://184.108.40.206/imagedl11.php
Sample detection rates for the malicious executables participating in the campaign:
hxxp://220.127.116.11/imagedl11.php – MD5: 1ad434025cd1fb681597db80447290e4 – detected by 23 out of 46 antivirus scanners as Backdoor:Win32/Tofsee.F
hxxp://18.104.22.168/imagedl11.php – MD5: 95a29c9652accb0b66036f026b6c85da – detected by 16 out of 46 antivirus scanners as Trojan-Dropper.Win32.Dorifel.zek
hxxp://22.214.171.124/11c.exe – MD5: 6807409c44a4a9c83ce67abc3d5fe982 – detected by 30 out of 46 antivirus scanners as Trojan-Dropper.Win32.Dorifel.ypu
hxxp://126.96.36.199/10c.exe – MD5: c032551a9c917af3a33dd48dfb68807c – detected by 37 out of 46 antivirus scanners as Trojan-Ransom.Win32.Gimemo.atzi
hxxp://188.8.131.52/4c.exe – MD5: 11bc0e87a3a71ed39d070eb8c8c66368 – detected by 22 out of 45 antivirus scanners as Backdoor:Win32/Tofsee.F
hxxp://184.108.40.206/2c.exe – MD5: 851429df461b2f5787cdfbdc0e525bfc – detected by 6 out of 46 antivirus scanners as Artemis!851429DF461B
hxxp://220.127.116.11/6c.exe – MD5: cd7c00403703ff2f97c92673464a9749 – detected by 35 out of 46 antivirus scanners as Trojan-Ransom.Win32.Gimemo.atzi
hxxp://18.104.22.168/9c.exe – MD5: ff7a64bee4dda13251988f77e2bccfc4 – detected by 38 out of 46 antivirus scanners as Trojan-Ransom.Win32.Gimemo.atzi
hxxp://22.214.171.124/8c.exe – MD5: 2d4c5b95321c5a9051874cee9c9e9cdc – detected by 38 out of 46 antivirus scanners as Trojan-Ransom.Win32.Gimemo.atzi
Responding to this IP (126.96.36.199, AS197145 Infium Ltd.) are also the following malicious/fraudulent domains:
Sample behavioral analysis for the associated MD5s:
MD5: 11bc0e87a3a71ed39d070eb8c8c66368 creates the C:Documents and SettingsAdministratortbdv.exe and C:DOCUME~1ADMINI~1LOCALS~1Temp1014.bat files on the affected hosts. It then phones back to 188.8.131.52.
MD5: 851429df461b2f5787cdfbdc0e525bfc creates the C:Documents and SettingsAdministratorhhqpbnac.exe and the C:DOCUME~1ADMINI~1LOCALS~1Temp4628.bat files on the affected hosts. It then phones back to 184.108.40.206
MD5: 2d4c5b95321c5a9051874cee9c9e9cdc creates the following file on the affected systems: %UserProfile%yzrpofko.exe. It also modifies the registry: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] MSConfig = “”%UserProfile%yzrpofko.exe”, and phones back to 220.127.116.11:443.
MD5: cd7c00403703ff2f97c92673464a9749 creates the following file on the affected hosts: %UserProfile%btewpzqa.exe. It also modifies the Registry: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] MSConfig = “”%UserProfile%btewpzqa.exe”, and phones back to 18.104.22.168:443.
MD5: c032551a9c917af3a33dd48dfb68807c creates the following file on the affected hosts: %UserProfile%asvkgzso.exe. It also modifies the Registry: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] MSConfig = “”%UserProfile%asvkgzso.exe”, and phones back to 22.214.171.124:443
MD5: ff7a64bee4dda13251988f77e2bccfc4 creates the following file on the affected host: %UserProfile%tpatewvi.exe. It also modifies the Registry: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] MSConfig = “”%UserProfile%tpatewvi.exe” and phones back to 126.96.36.199:443.
More MD5s are known to have phoned back to 188.8.131.52:
As well as related MD5s phoning back to 184.108.40.206:
What’s special about the second C&C phone back IP (220.127.116.11) is that it was used in another Facebook themed malware campaign back in December, 2012, indicating that this cybercriminal/group of cybercriminals are actively impersonating Facebook Inc. for malicious and fraudulent purposes.
If you catch a Facebook impersonating email in the wild, please forward it to firstname.lastname@example.org to notify Facebook of the attack.
Webroot SecureAnywhere users are proactively protected from these threats.