• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Friends Don’t Let Friends Download Malware

July 1, 2016 By Marc Laliberte

Last weekend, a user on the question and answer site Stack Exchange asked for help identifying malware he found distributed via Facebook. He said he received a notification on Facebook, informing him that one of his friends had tagged him in a comment on the site. When the user clicked on the notification link, his browser automatically downloaded an obfuscated JavaScript file. Quick analysis of the JavaScript showed that when executed, it acted as a loader application to download and execute malware.

Another Stack Exchange user provided further analysis of the malicious JavaScript file. This user found that the JavaScript downloaded and installed a Chrome extension, the AutoIt Windows executable, and a few malicious AutoIt scripts. The malware likely creates its tainted Facebook posts using this Chrome Extension to continue infecting other hosts.

Aside from the Chrome extension, the JavaScript loader also included functions to download the AutoIt executable and various AutoIt Scripts. AutoIt is a (usually legitimate) scripting language designed to help IT administrators easily configure large numbers of Windows hosts. In the case of this Malware, the bad guys were using AutoIt scripts to preform ransomware-like behaviors. The scripts themselves were hosted on a compromised website, disguised with .jpg extensions to appear as regular image files without closer inspection.

Luckily, even though this user’s browser automatically downloaded the malicious JavaScript after visiting the notification link, his browser didn’t automatically execute the code. It seems the malware’s author relied on users launching the JavaScript themselves, which would greatly lessen this attack’s success.

In any case, this incident is a great example of why you should never execute unsolicited applications from the Internet. If your browser downloads a file after you click a Facebook notification, it should raise immediate red flags. The user on Stack Exchange did the right thing by investigating the file first and then asking for help from experts.

You should also keep your browser and all of its extensions fully updated with the latest patches. While this attack’s delivery method was relatively unsophisticated, that’s not always the case. A more motivated attacker may have tried to exploit known browser vulnerabilities to auto-execute the malware and compromise the would-be victim’s computer before they even knew what hit them. –Marc Laliberte

Share This:

Related

Filed Under: Editorial Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use