It’s no surprise to see Facebook becoming a primary focus for spreading malware. Attackers are leveraging Facebook as a means of reaching end users, delivering links in order to convince victims to click on them. The links deliver malware that allow attackers to access sensitive information or take control of a voctim machine, Recently, I found such an incident where Facebook was used to spread a known Trojan.
The victim usually gets a message containing a malicious link which looks like:
Visiting link redirects user to the following page:
The above page delivers a binary called “surprise.exe”. Virustotal shows most common antivirus engines flag it as known Torjan Dropper. If you accidentally execute “surprise.exe”, the victim machine prompts with the following message:
Currently no malware is hosted on the site “facebook-surprise-nmsk.tk”. But its not guaranteed that it will remain in same state. Report from “ scumware.org” shows different domains used to spared this malware.All the different domains were registered with same ip. DNS lookup for the ip 220.127.116.11 can found here.
This clearly shows how attackers are taking advantage of power of social networking to spread malware. Always make sure the links are safe before clicking on them.