AegisLab got some malicious video links from Facebook as following:

hxxp://www.facebook.com/pages/Videos-choquantes/115875135259062?sk=app_208195102528120

hxxp://www.facebook.com/pages/Videos-choquantes/116032281910520?sk=app_208195102528120  

 

They all take advantage of your curiosity for unknown video, and lure you to execute malicious package

The analysis as below: 

 

 

   

The subject is "This girl has a spider under the skin and makes it removed!"  and the messages shown in pop up window: 

Update Needed

to watch the latest videos on Facebookyou must install this update package.

To begin, click on the button below:  

   

Obviously, the devil wants to lure you to execute the malware.

If "OK" button clicked, you'll get a malicious file: hxxp://dl-b.uni.me/updates/fr_FR /fb13.4.4_fr.exe

  

 

After running this file, the message "update already done" shown in pop up window as following: 

  

 

 

And then browser Chorme was added one more extension:

  

 

the content of this extension

  

 

Chrome's extension was defined the  by manifest.json, and this extension was malicious scripts injected.

  

 

To analyze manifest.json, we found:

1. permission: allow any URL connection

2. main program: call.js

3. malicious URL for update: http://du-pont.info/updates/fr_FR/update.xml

  

 

 

The partial main program call.js:

  

   

The malicious extension will collect your contacts in facebook and add to fans, and then spreads malicious links to them.

The best way to lower down the risk from malicious links is checking browser's status bar before clicking OK button as possible.

For your internet browsing security and prevent malicious connection, we urge our customer to keep WebGuard signature up to date. 

 

by AegisLab