t is well-known that a lot of malware attacks can be distributed through social media. Clicking nefarious link or opening attachments sent through a direct message are two somewhat common attack vectors. One particular malware group has taken things to the next level, as they use Facebook’s content delivery network server to hide banking Trojans. A very interesting turn of events, although it remains to be seen how the company will respond to this problem.
FACEBOOK CDN IS A MALWARE DISTRIBUTION PLATFORM
Researchers have come across some very unusual malware activity these past few weeks. The way these malicious payloads are distributed raise a lot of questions. Several campaigns actively use Facebook’s CDN servers to distribute malware to users all over the world. It turns out these malware types are all banking Trojans, which are all hiding on CDN servers used by the social media giant.
It is also believed these same criminals are responsible for using Dropbox and Google’s cloud storage to distribute similar payloads not too long ago. The trusted services are getting a lot of attention, although not necessarily for the right reasons. When tools like these are used for criminal activity, it is impossible to tell what the final consequences will be. People trust Google, Facebook, and Dropbox, and would hardly associate these companies with malware.
By making use of the Facebook CDN servers, criminals will cause a lot of damage with these banking Trojans. The domain name itself is trusted by security solutions, which means the malware will not get recognized by security software either. Creating a custom domain to host and distribute malware can easily get blacklisted and even taken offline by registrars. Taking Facebook offline for this particular purpose would be rather problematic.
Users are first contacted through a fake email in which they are asked to visit the Facebook CDN where the malware is hosted. These emails are disguised as a communication from local authorities. Considering how the link in the email will not be marked as malicious right away, most users will click on it regardless. The assailants will upload these banking Trojans in Facebook groups or other public sections and use this URL as a way to distribute it through spam email campaigns.
What is rather peculiar is how this attack is only aimed at Brazilian users right now. The Brazilian ecosystem is of keen interest to particular criminals, although it is unknown why this is the case. If a user from a non-targeted region visits the link, the infection process will be halted prematurely. This shows that this new campaign is specifically tailored for one purpose only, although it is anybody’s guess as to why Brazil is the target.
According to the first reports, the banking Trojan being distributed is called Squiblydoo. Users who click on the link in the email will download a ZIP archive containing a PowerShell script. Once they do so, the malware will download in the background and infect the computer accordingly. It is a rather common method of attack, even though this particular distribution campaign is something we do not see every day. These spam emails have been delivered to hundreds of thousands of recipients, although it is unclear how many people effectively clicked the links in question.
Copying/Pasting full texts is frowned upon by the community.
Some tips to share content and add value:
Repeated copy/paste posts could be considered spam. Spam is discouraged by the community, and may result in action from the cheetah bot.
Creative Commons: If you are posting content under a Creative Commons license, please attribute and link according to the specific license. If you are posting content under CC0 or Public Domain please consider noting that at the end of your post.
If you are actually the original author, please do reply to let us know!
Thank You!
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit