Friday, October 11, 2013

Funny Facebook files deliver malware

I've recently got notified on an interesting malware campaign. I'll start with some screenshots:

Save the file and run! It is funny :)

DivX plug-in Required!

Download and execute the facebook app, please!

Some examples of files that can be downloaded:;

I think you get the point here. Users are being socially engineered to download a file that seems to originate from Facebook. The file is supposed to be an image file (PNG, TIFF, BMP, JPEG and even "PIC") but is in fact an executable. The initial landing page also ends in names of females, for example "laura.html" or "birgitta.html" .

Let's take a look at one of the downloaded files:
MD5: 1273f3ea6ae76340270bab57b073b0b5
Anubis Result
Malwr Result
VirusTotal Result

Unfortunately I was unable to execute the malware, as I currently don't have a physical machine to test it. According to VirusTotal results, it may be a Trojan called Yakes or Tobfy:
Trojan:Win32/Tobfy is a family of ransomware trojans that targets people from certain countries. It locks your PC and displays a localized webpage that covers your desktop. This webpage demands the payment of a fine for the supposed possession of illicit material.

Some variants might also take webcam screenshots, play an audio message pretending to be from the FBI, closes or stops processes or programs, and prevents certain drivers from loading in safe mode - possibly to stop you from attempting to disable the trojan.

According to Ydklijnsma, this specific campaign drops bitcoin miner malware. See:
There's a good blogpost by Brian Krebs on the subject of bitcoin mining malware:

Most of the malware seems to be hosted via the domain registrar "Hong Kong Sun Network":
Hong Kong Sun Network - hosting multiple malicious websites

Some IPs that are involved - next to it their abuse contacts:

I'm betting it's safe to assume the worst and block these IPs (more investigation is needed though):

Most of the sites use the pattern described here:
If you're interested in some of the websites that are serving this malware, visit the following Pastebin:
Note that links may still be live! 


  • Don't be fooled by websites that seem to resemble Facebook, always check the URL you are currently on before downloading or executing files
  • Install an antivirus and antimalware product and keep it up-to-date & running
  • Use a linkscanner to verify the integrity of a link on either or
  • Use NoScript in Firefox or NotScripts in Chrome to block malicious attempts on unknown sites
  • Running "funny Facebook files" will usually provide you with everything but fun

No comments:

Post a Comment