Attackers spread worm via Facebook, leverage cloud services

Facebook users who clicked an link in a post promising pornographic content may have become infected with a worm – believed to belong to the Kilim family – that then spread the same link to all of their contacts and groups, according to a Thursday post by Malwarebytes.

Kilim targets social media networks – particularly Facebook and Twitter – by installing a rogue extension within the Google Chrome browser, Jerome Segura, senior security researcher at Malwarebytes, told in a Friday email correspondence. The malware can be used to post new messages, like a page, follow users and send direct messages, he explained.

“The goal [of this current attack] is to harvest as many users as possible to create a very large [botnet] consisting of social networks profiles which can be leveraged in various ways, [such as by] reselling Facebook friends and likes, reselling Twitter followers, [and] generating pay per click revenue by visiting sites and clicking ads,” Segura said, adding this attack seems to target Chrome specifically.

To infect users, attackers are taking advantage of a multi-layer redirection architecture that leverages cloud services, the post indicates. Segura said the attackers may be using this method to “make it harder to pinpoint exactly how the malicious redirection takes place, but also to be able to switch services quickly if they get blacklisted,”

Upon clicking the link claiming to deliver “sex photos of teen girls in school,” Facebook users are redirected to another link, which then redirects to an Amazon Web Services page, which then redirects to a malicious website, according to the post.

At this point, the malicious website checks the user’s system. Mobile users are “taken to an offer page based on their geographic location and language,” Segura said. “These offers usually end up being bogus apps or surveys.”

Computer users are instead sent to a Box website where they are prompted to download a file, the post indicates. Running the file will result in the machine becoming infected, which then leads to additional components – the worm – being downloaded and the original link being spread to the infected user’s Facebook contacts and groups.

“The file hosted on Box is trimmed down to a minimum size and its only purpose is to download additional components,” Segura said. “This is typically done to avoid initial detection, but also to allow the bad guys to update the backend code on the server so that the trojan downloader can retrieve the latest versions of each module. After the additional components are downloaded (Chrome extension, worm binary) they are installed on the machine and simply wait for the user to log into Facebook.”

Box is aware of the attack, according to a statement emailed to on Friday. To address the issue, the company is removing the files, eliminating sharing privileges for malicious accounts and is continuously scanning for viruses and related activity.

Facebook is also aware of the threat. Working with the other companies targeted in the attack, the social media giant spent the past week blocking associated links and stopping the links from spreading on its platform, according to a statement emailed to on Friday.

In a statement, an Amazon Web Services (AWS) spokesperson told on Friday that the “activity being reported is not currently happening on AWS.”


Via: scmagazine

Save pagePDF pageEmail pagePrint page

Leave a Reply

Your email address will not be published. Required fields are marked *