A new Trojan released from yesterday on Facebook has managed to spread over over 110.000 computers in just two days. Security researcher Mohammad Reza Faghani says his rapid transmission trojan serve tags that add and include friends of the victim. Scams with Tags are not new, but they are recently used with increased frequency.
The malicious message includes a fake video porn that if someone unsuspecting clicks to watch it, it will take you to a page to view it. The video will stop a few seconds after it starts, asking the viewer to download a malicious file that is supposed to be an updated version of Flash Player to be able to watch the rest of the clip. The download process starts automatically.
Ο Mohammad Reza Faghani who discovered fraud, reports that the number of victims is on the rise.
The cybercriminals behind the Trojan, he says, use a very aggressive distribution method, which the researcher called "Magnet," or a magnet. The method allows friends of the victim's friends to see the malicious publication.
In earlier cases, the original victim could only send the malicious message to his friends, and only if they were infected could the fraud be transmitted to their contacts.
A brief analysis of the Trojan shows that the fake Flash Player update uses many executable file names (chromium.exe, wget.exe, arsiv.exe, verclsid.exe) stored on a hacked system.
As for its functionality, Faghani reports that malware takes control of the mouse and the keyboard of the victim.
According to Faghani, the two domains containing the Trojan were first registered in October of 2014. One of these, pornokan [.] Com uses a server located in Amsterdam (Digitalocean Amsterdam) and the other's IP (filmver [.] Com) shows on the Cloudflare network. In both, the domains provider is FBS INC, a company from Turkey, which offers domain name registration services.
An analysis by BitDefender concluded that the scammer was of Turkish origin and used the online nickname "schwarzback."
Beware, therefore, because malicious messages are still circulating, according to the researcher.