A new Trojan released from yesterday on Facebook has managed to spread over over 110.000 computers in just two days. Security researcher Mohammad Reza Faghani says his rapid transmission trojan serve tags that add and include friends of the victim. Scams with Tags are not new, but they are recently used with increased frequency.
The malicious message includes a fake porn video that, if an unsuspecting user clicks to watch, will be taken to a σελίδα για την προβολή του. Το βίντεο θα διακοπεί λίγα seconds μετά την έναρξη του, ζητώντας από τον θεατή να κατεβάσει ένα κακόβουλο archive που υποτίθεται ότι είναι μια ενημερωμένη έκδοση του Flash Player για να μπορέσει να παρακολουθήσει το υπόλοιπο κλιπ. Η διαδικασία λήψης ξεκινά αυτόματα.
Ο Mohammad Reza Faghani who discovered fraud, reports that the number of victims is on the rise.
The cybercriminals behind the Trojan, he says, use a very aggressive distribution method, which the researcher called "Magnet," or a magnet. The method allows friends of the victim's friends to see the malicious publication.
In earlier cases, the original victim could only send the malicious message to his friends, and only if they were infected could the fraud be transmitted to their contacts.
A brief analysis of the Trojan shows that the fake Flash Player update uses several executable file names (chromium.exe, wget.exe, arsiv.exe, verclsid.exe) stored in a hacked system.
Regarding its functionality, Faghani reports that the malicious software takes control of the victim's mouse and keyboard.
According to Faghani, the two domains containing the Trojan were first registered in October of 2014. One of these, pornokan [.] Com uses a server located in Amsterdam (Digitalocean Amsterdam) and the other's IP (filmver [.] Com) shows on the Cloudflare network. In both, the domains provider is FBS INC, a company from Turkey, which offers domain name registration services.
An analysis by BitDefender concluded that the scammer was of Turkish origin and used the online nickname "schwarzback."
Beware, therefore, because malicious messages are still circulating, according to the researcher.