Microsoft issued a new warning on Friday: “At the time this blog was written, there were more users ‘liking’ and ‘commenting’ on the Facebook page that this malware uses – so there’s a possibility that there are more people continuing to be infected.” This malware is in the wild and active.
For the moment it seems to be centered in Brazil. Once installed, it attempts to update itself with a configuration file from the C&C server. Depending on the configuration file, typical functions can then performed including liking, sharing, posting, joining a group, chatting and commenting.
One example noted by Microsoft was a post on the victims’ Facebook account (original in Portuguese): “15 year-old victim of bullying commits suicide after showing her breasts on Facebook. Video on the link below.” The link included has already been blocked by Facebook, and Microsoft doesn’t expand on any specific threat from the URL. Nevertheless, the general threat is clear – a link posted to a wall could tempt friends to visit a malicious site.
Luis Corrons, CTO at PandaLabs, thinks it is typical Brazilian malware. “One of the characteristics of the Trojans there,” he told Infosecurity, “is that they are good at social engineering tricks to distribute them and they are not really technologically advanced – in comparison to malware developed in Russia/East Europe – so this browser extension fits with their profile.” That is, the social engineering techniques are more advanced than the malware itself.
However, since the trojan links to a C&C server and can update itself with new tricks, there is nothing to prevent it spreading out from Brazil and incorporating different languages. “There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time,” warns Microsoft. “In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection.”