Security experts at TrendMicro believe that the malware is triggered by opening Facebook or Twitter via shortened links provided in any social networking websites. Once clicked, the links may lead victims to a site that automatically downloads the malicious browser extension.
MALWARE INVOLVES DOWNLOADING MULTIPLE MALICIOUS FILES
The process is quite complicated as the malware drops a downloader file which downloads multiple malicious files on the victim’s computer. Moreover, the malicious program also has ability to bypass Google's recent security protection added to Chrome against installation of browser extensions that are not in Chrome Web Store.
Researchers came across a baiting tweet that advertises “Facebook Secrets”, claiming to show videos that are not publicly available, along with a shortened link that is to be clicked in order to get it. Curious users easily fall victim to such campaign and click the given links to download those videos.
What the user totally unaware of is that the file which he downloaded is a malware dropper with the name “download-video.exe”, detected as TROJ_DLOADE.DND, according to fraud analyst Sylvia Lascano of the security firm Trend Micro.
This malicious file then is used to drop additional malware into the victims’ computer, one such is a Chrome browser extension which masquerades as Flash Player, which could be used for more offensive threats designed to steal victims’ credentials for various online services.
MALWARE BYPASSES GOOGLE’S SECURITY POLICY
In order to evade detection, the malware circumvents Google's security policy – which only allows extension installations hosted in the Chrome Web Store – by creating a folder in the browser's directory where it drops “browser extension components.”
The browser extension components that needs to be loaded are added to Chrome’s extension folder are as follows:
- manifest.json – contains browser extension description like name, script to load, version, etc.
- crx-to-exe-convert.txt – contains the script to be loaded, which can be updated anytime by connecting to a specific URL.
After all the data is parsed by the browser in the dropped component manifest.json, the extension is ready to work.
OPEN FACEBOOK OR TWITTER – BE A VICTIM OF CLICK FRAUD
Once installed, if a user visits Facebook or Twitter, the extension quietly opens a specific site in the background that is written in Turkish, which researchers believe is part of a click fraud or redirection scheme.
“The site is written in Turkish and phrases such as ‘bitter words,’ ‘heavy lyrics,’ ‘meaningful lyrics,’ ‘love messages,’ and ‘love lyrics’ appear on the page. This routine could be a part of a click fraud or redirection scheme,” fraud analyst Sylvia Lascano of the security firm Trend Micro said in a blog post.
SHORTENED LINK HELPED THREAT ACTORS
By the time researchers discovered the campaign, the tweets promoting the sophisticated malware dropper had been retweeted more than 6,000 times.
Here cyber criminals took help of shortened link in order to victimize a large number of victims because of the fact that the shortened link don’t have visibility of where it directs, and contributes to spreading the campaign.
So, in order to protect your computers against this sort of threats, avoid accessing links from any unknown and suspicious sources.