Last weekend, a user on the question and answer site Stack Exchange asked for help identifying malware he found distributed via Facebook. He said he received a notification on Facebook, informing him that one of his friends had tagged him in a comment on the site. When the user clicked on the notification link, his browser automatically downloaded an obfuscated JavaScript file. Quick analysis of the JavaScript showed that when executed, it acted as a loader application to download and execute malware.
Another Stack Exchange user provided further analysis of the malicious JavaScript file. This user found that the JavaScript downloaded and installed a Chrome extension, the AutoIt Windows executable, and a few malicious AutoIt scripts. The malware likely creates its tainted Facebook posts using this Chrome Extension to continue infecting other hosts.
Aside from the Chrome extension, the JavaScript loader also included functions to download the AutoIt executable and various AutoIt Scripts. AutoIt is a (usually legitimate) scripting language designed to help IT administrators easily configure large numbers of Windows hosts. In the case of this Malware, the bad guys were using AutoIt scripts to preform ransomware-like behaviors. The scripts themselves were hosted on a compromised website, disguised with .jpg extensions to appear as regular image files without closer inspection.
Luckily, even though this user’s browser automatically downloaded the malicious JavaScript after visiting the notification link, his browser didn’t automatically execute the code. It seems the malware’s author relied on users launching the JavaScript themselves, which would greatly lessen this attack’s success.
In any case, this incident is a great example of why you should never execute unsolicited applications from the Internet. If your browser downloads a file after you click a Facebook notification, it should raise immediate red flags. The user on Stack Exchange did the right thing by investigating the file first and then asking for help from experts.
You should also keep your browser and all of its extensions fully updated with the latest patches. While this attack’s delivery method was relatively unsophisticated, that’s not always the case. A more motivated attacker may have tried to exploit known browser vulnerabilities to auto-execute the malware and compromise the would-be victim’s computer before they even knew what hit them. –Marc Laliberte