AegisLab got some malicious video links from Facebook as following:




They all take advantage of your curiosity for unknown video, and lure you to execute malicious package

The analysis as below: 




The subject is "This girl has a spider under the skin and makes it removed!"  and the messages shown in pop up window: 

Update Needed

to watch the latest videos on Facebookyou must install this update package.

To begin, click on the button below:  


Obviously, the devil wants to lure you to execute the malware.

If "OK" button clicked, you'll get a malicious file: hxxp:// /fb13.4.4_fr.exe



After running this file, the message "update already done" shown in pop up window as following: 




And then browser Chorme was added one more extension:



the content of this extension



Chrome's extension was defined the  by manifest.json, and this extension was malicious scripts injected.



To analyze manifest.json, we found:

1. permission: allow any URL connection

2. main program: call.js

3. malicious URL for update:




The partial main program call.js:



The malicious extension will collect your contacts in facebook and add to fans, and then spreads malicious links to them.

The best way to lower down the risk from malicious links is checking browser's status bar before clicking OK button as possible.

For your internet browsing security and prevent malicious connection, we urge our customer to keep WebGuard signature up to date. 


by AegisLab