Translator: Zixi Return
Estimated royalty: 200RMB
Submission method: Send email to linwei#360.cn, or log in to the web version to contribute online
Foreword
We often use Facebook Messenger to share interesting videos or information links with friends, but you have to be alert recently because hackers may be spreading malware through these links. Recently, researchers from Kaspersky Lab and Detectify Labs discovered that hackers are using Facebook Messenger to conduct cross-platform attacks, that is, sending processed video links as target users’ friends. Once the link is clicked, it will be redirected to the fake website based on the user's browser and operating system, and the user will be induced to download malicious extensions, thereby automatically downloading malicious adware to the user's computer device. Currently, Kaspersky Lab is conducting assessments on this threat. Frans Rosé from Detectify Laboratory is also conducting an analysis and research. Therefore, Kaspersky researcher David Jacoby and Detectify researcher Frans Rosé decided to co-written the research report on the incident.
Propagation Mechanism
Frans Rosé spent quite a long time analyzing JavaScript and trying to figure out how malware spreads. On the surface, this seems like a simple job, but it is not the case. This work involves several steps, including determining the Javascript payload. In addition, since it is up to the script to decide when a cyber attack is launched, it is necessary to pay attention to when an attacker will launch an attack in real time.
The malware that uses Chrome is not only spreading malicious network links, but also collects and counts the victim's information. We try to break down the malware dissemination process, and summarize it into the following steps:
1. The victim received a link to Facebook Messenger from his friend.
2. Once the other party clicks in, it will be directed to a Google Doc web page, which is the reality of a fake video player of a friend’s avatar.
3. Click this link and use the Chrome browser to watch it, and it will be reset to the fake YouTube website, which will induce victims to download malicious Chrome extensions from the Google app store (actually it is a Downloader).
4. Once this malicious Chrome extension is installed, the victim will continue to send malicious links to his friends online.
Chrome The steps for malicious extensions are worthy of our in-depth study -
Facebook's message box
The information in the message box includes the user's last name, the word "video" and random emoji expressions:
and links created using the URL shortening tool.
Google Document SharingPDFPreview
After clicking on the link, the user will be reset to a URL on docs.google.com. This link is made using a preview link for sharing PDFs. This is more likely because it is the fastest way to get large controlled content areas on legitimate Google domains through external links.
PDF itself is created using TCPDF 6.2.13 in PHP and then uploading Google Docs using Google Cloud Services.
TCPDF 6.2.13 is created by PHP and then uploaded to Google Docs using Google Cloud Services. Click
and will go to the details page of the PDF file being previewed. The sharing settings for the link generated by
contain an interesting detail:
shows "Anyone can edit" in the image above, which means that anyone with the link can edit it. Let's see how the link spreads - the attack sends the same link to all victims' Facebook friends. But any friend changes the link access rights to prevent the attack from spreading to other victims' friends. Another interesting detail in
is the user who created the document.If you study a large number of cases, you will find the rules:
The above figure shows the link sent to four different victims, but all three of the links use the same IAM username (ID-34234), even if these three links are created using different Google Cloud projects.
When a hacker launches an attack, the URLs of these pdf preview pages sent to the victims are not on Google's blacklist.
Redirect
After clicking on the Google Docs link, the user will be redirected, and the most likely one is the fingerprint recognition browser. Below we will focus on analyzing Chrome browser.
Chrome extension redirects are redirected to fake YouTube page
Users using Chrome browser will be redirected to fake YouTube pages. We noticed that several different domains were used during the attack. The page where
is redirected will also require you to install the Chrome extension. Since users can install Chrome extensions directly on the page, the only thing victims can do is click Add Extension. Once the victim clicks on "Add Extension", the hacker's attack succeeds.
Chrome extension
A variety of Chrome extensions are used here. All extensions are newly created and the code is stolen from extensions with similar names. These extensions mainly use modified versions of background.js and manifest.json.
shows that changes have been made to control tabs and all URLs, and support for background.js is enabled:
All the background scripts we found in Chrome extensions are blurred, but the basic scripts are shown in the figure below:
blur background script
This script is very worthy of in-depth consideration. First, background.js can only obtain external URLs if users install extensions from Chrome Webstore; if unpacked extensions installed from locally, no network attack will be triggered. The URL crawled by
will contain a reference to another script. This script will be sent to a Javascript Blob object using the URL.createObjectURL and then run background.js. The newly generated script in the
Blob object is also fuzzy, as shown in the figure below:
will occur after
:
1. If the tab is loaded successfully, an audience will be added to all tabs.
2. After the tag page is loaded, a request will be initiated to another URL address. If the response contains anything, it will be sent back to the tag page and triggered using executeScript. The file will then run Javascript on the tag page where the request is issued, so that XSS injection is implemented in a timely manner.
Get all scripts
for research on identifying injected files, I noticed that the attacker's CC server does not always have code to return. I'm starting to guess that when an attack is initiated, the attacker can control whether the attack is propagated and whether it is done manually or specifically.
To avoid waiting here for nothing, I established a pseudo-extension to simulate the attacker's behavior. Of course, I did not activate the relevant code, but saved it locally.
After a period of time, I noticed that I had received a lot of clicks, and the terminals of the clicker immediately sent back the response code: the code returned by
did not undergo any obfuscation, and I could see the specific process clearly. The code is actually written specifically for Facebook.
This script will perform the following operations:
see if Facebook.com is included in the running domain.
extracts CSRF credentials to access Facebook, name it "fb_dtsg".
see if access credentials have been obtained (access is to complete authentication of Facebook API).
sends the access token and user ID to the attacker's external site.
Ensure that the platform function is enabled (deactivate kill-switch):
creates an access token.Facebook has deprecated the FQL API. Facebook has previously used the FQL API:
However, the attacker found that if the target uses the "Pages Manager" application in the iOS system to customize access credentials, the FQL API will continue to be available.
Let's continue to look at the most interesting part, that is, what these scripts do:
Analyzing the attacker's Facebook page
This script will hardcode content based on and like it for a Facebook page. It is very likely that the attacker calculates the specific number of infected users by monitoring the number of likes on the page.
In a certain stage of this attack, we found that the number of likes in the page surged, jumping from 8900 to nearly 32000 in just a few hours:
also obvious that attackers can control attack time through script fetchers in the CC server. During the attack, the growth rate of the number of likes on the page showed a huge difference.
attackers also changed pages several times, most likely because their page was blocked by Facebook.
Get the friend list
Since the attacker has obtained an access credential that supports FQL, they will be able to use the outdated API to obtain the victim's friend list and divide it according to the launch date, and select friends who have been online.
They disrupt them by selecting 50 friends at a time, and only start attacks when these friends are idle or online.
Then, they will generate a link through another domain name, specifically for accepting user ID information. This link will create a PDF file on Google Docs, record the current victim's archives, and send it back with a short address.
After the attacker receives the link, he will send messages to all friends again and make the link run again.
Interesting details
In the previous attack, some parts of the implanted code have never been used or left behind.
part of it is the location function of sending messages to each friend under appropriate conditions. In the actual attack, it was replaced with a random emoji expression:
login.phph
The domain used by the attacker contains some files, which makes us guess that PHP files similar to login.php should be stored in it. The file will release a Facebook login script at the same time, as well as a hardcoded email address:
Version
We found that the attacker used several versions of Facebook injection scripts. At the end of the attack, the script only liked the Facebook page, but did not launch an attack. In addition, the domain name used to collect access credentials was also removed from the script.
Login page
As we mentioned, the script also lists the browser type you are using. The Chrome extension is only valid for users using Google Chrome. If you are using another browser, the relevant code will also execute other commands.
Interestingly, although the attackers added support for most operating systems, we did not collect any samples for Linux operating systems.
All samples we collect are malicious advertising programs. When the victim opens the last login page, it will be reset to several tracking domains containing malicious emails or ads. This also shows that the attacker wants to profit by clicks or distributing malicious emails or ads.
Safari browser
MD5 (AdobeFlashPlayerInstaller.dmg) = d8bf71b7b524077d2469d9a2524d6d79
MD5 (FlashPlayer.dmg) = cfc58f532b16395e873840b03f173733
MD5 (MPlay.dmg) = 05163f148a01eb28f252de9ce1bd6978
These are fake Adobe Flash updates, but the victims will close different websites each time. To do this, the attacker appears to have taken turns using a set of domain names.
Firefox browser (Mozilla Firefox)
MD5 (VideoPlayerSetup_2368681540.exe) = 93df484b00f1a81aeb9ccfdcf2dce481
MD5 (VideoPlayerSetup_3106177604.exe) = de4f41ede202f85c370476b731fb36eb
"I'm infected with this, what should I do?
Currently, Google The Chrome Security Team has disabled all malicious extensions, but when an attacker stole your Facebook profile using malware, it also stole the access-token of your Facebook account. This access token may be time-limited, but its access rights are very large. The access token for Facebook account is mainly used for Facebook software on Android. Once you get your access token, the attacker can access the user's profile, whether you have changed your password, logged out of Facebook account or closed the platform settings on Facebook.
We are currently discussing this issue with Facebook. But it seems that , it seems that the victim does not have an easy way to abolish access tokens stolen by the attacker. Now we can only pray that the attacker does not do anything before the token expires.
We strongly recommend that users update the antivirus software.
Conclusion
attacks mainly rely on realistic social interactions, dynamic user content and legal domain names as intermediate steps. The core infection point of the above-mentioned spread mechanism is to install Chrome extensions. Please pay special attention when you allow the extension process to control browser activity. At the same time, you should also figure out which extensions are currently running on your browser. If you are using Chrome, you can enter chrome://extensions/ in the URL to get a list of running extensions.
