Turkish ‘Delete Virus’ Targets Facebook Users

Facebook continues to be a favorite target for attackers to spread fake wall-post messages or fake scams. Most of the time these fake messages are involved in fake scams that ask users to respond to surveys. Recently, I discovered a Facebook wall post with a malicious website address that was unknowingly shared by a friend. Once infected with this spam, the malicious wall post will also tag all the friends of an infected Facebook user.  Here is the screenshot of a malicious wall post:

Sil_wallpost

The link from this wall post redirects users to a malicious website that hosts malicious code. This site launches its main attack by identifying browsers with the help of the following code:

sil_code

The preceding code from the malicious site targets Firefox and Chrome browsers on userAgent strings.

Firefox

If the malware detects Firefox, it presents the following error message in Turkish:

sil_firefox_warning

The Google translation of the this message reads:

Please Refresh button, Firefox Add-Update your. Due to system errors and security bugs that are required by pressing the Reload button. Install Firefox Plug-in Update. As long as you have not updated the site faydalanamayacaksýnýz features.

Once clicked, the site installs the malicious “sosyalag.xpi” (XPI extension archive) file for Firefox (from the malicious site) along with a Chrome application from the Google Chrome store (this app has been removed from the store). Here is the JavaScript function used for the Chrome app:

sil_javascript

Chrome

If the malicious site detects Chrome, it will download the malicious file player.exe from the attacker’s dropbox account without asking the user. After using Chrome to visit the site, a victim will see a fake video page:

sil_chrome_warning

The malicious site cleverly shows an arrow pointing to the malicious file for download, even though the file has already  arrived. Player.exe makes Chrome install another malicious application by adding an entry for a .crx file from another malicious site under “\Policies\Google\Chrome\ExtensionInstallForcelist\1: “gagalgomhifgcmeciklindhpaihmecgi;https://XXXXXX.com/maflu.xml.” Once an infected user enters Facebook, the malicious code runs JavaScript in the background, infecting further users.

VirusTotal Detection

Player.exe

sosyalag.xpi

mafera.crx

The XPI extension file for Firefox contains malicious JavaScript code that targets Facebook. Here is screenshot of one of the files:

sil_source

The name in the preceding script “Virusü Sil” is Turkish, which in English is “Delete Virus.” Malicious sites hosting the files present user with information in Turkish. This campaign is aimed against Turkish Facebook users, but it’s not limited to them. Once someone is infected with these extensions, a victim can spread the same post by tagging their friends.

Facebook has already removed these malicious messages from the infected users’ wall posts. The malicious apps have also been removed from Google Chrome store.