Multi-platform Adware Facebook Messenger

Earlier this week a Kaspersky Lab researcher had discovered new malware, with advanced and obfuscated code, infecting victims with adware through Facebook Messenger. What they found further in their research is surely a threat if one is not careful.

It's been a few days since Kaspersky Lab's blog post about the Multi Platform Facebook malware that was spread through Facebook Messenger.

After spending quite some time analyzing the JavaScript and trying to figure out how the malware was spreading, which seemed like a simple task but it wasn't. There were multiple steps involved trying to figure out what the Javascript payloads did. Also, since the script dynamically decided when to launch the attack, it had to be monitored when the attackers triggered it.

The conclusions can be broken down into a few steps, because it's not only about spreading a link, the malware also notifies the attackers about each infection to collect statistics, and enumerates browsers. We tried summarizing the steps as simply as possible below:

1.The victim receives a link on Facebook Messenger from a friend.

2.The link goes to Google Docs with an image that looks like a fake video player with the friend's profile picture.

3.Clicking on that link using Chrome will send you to a fake YouTube page that asks you to install a Chrome Extension directly on the page.

4.Installing that Chrome Extension will then spread malicious links to the victim's online friends, combined with the victim's profile picture.

The malicious code includes a hard coded Facebook page that receives an automatic 'like' from victims. Researchers believe that this function is used to count the amount of infected users- at one point they saw it rise from 8,900 to 32,000 in the space of just a few hours.

The researchers also found that the core infection point for Google Chrome users is a Chromw extension. Its installation triggers malware spreading among the victim's friends.

The malware sorts these friends according to the date of their latest activity and then randomly selects 50 who are currently online.

"I was infected by this, what do I do?"

The Google Chrome Security Team has disabled all the malicious extensions, but when the attackers infected your Facebook profile they also stole an access-token from your Facebook account.

With this access-token the attackers will be able to gain access to your profile again, even if you have for example: Changed your password, signed out from Facebook or turned off the platform settings in Facebook:

Kaspersky Lab is currently discussing this with Facebook but at the moment it seems like there is no simple way for a victim to revoke the token the attackers stole.

Kaspersky Lab highly recommends that you update your Anti Virus solution because the malicious domains and scripts have been blocked, and advises users not to click on suspicious links, to check which extensions are running in their browser and only to install those that come from a trusted source.