CSP-CERT® Resources:
Cryptomalware spreads on Facebook

by CSP-CERT® Research Science
posted December 2017
Date Discovered: December 20, 2017 | Time: 7:18PM

Today, we received reports of random private and group messages from friends in Facebook. These messages contain a clickable download link to a file, which appears to be a video in a ZIP archive (or so it seems). This ZIP archive actually contains a malware, which to this date, has at least two (2) versions being circulated in Facebook messages.


Figure 1.0 Screenshot of random private message

One of my colleagues was able to acquire a copy of an earlier version of this malware, which we will be using in our analysis for this article.


DYNAMIC ANALYSIS


Extracting the contents of the ZIP archive reveals a Windows executable using dual file extensions, a technique used by most malwares to make the files appear as another file format. This is most effective when users have enabled the “Hide extensions for known file types” option in the window view properties, which is enabled by default in most Windows installations.



Figure 2.0 A preview of the extracted Windows executable from the Facebook message spam

This malware is written in AutoIt, a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting, and then compiled into the Windows executable format for easy distribution.


With a few tools like Exe2Aut, we can decompile the compiled Windows executable back to its script form, after decompiling we see that the code has been obfuscated.


Figure 3.0 Decompiled output from Exe2Aut

Using its own decryption routine on the encrypted strings, we can clearly see what this malware is up to.


Figure 4.0 The same decompiled output in its decrypted format

Once executed, the malware downloads a configuration file from hxxp://xndnx[.]lecu[.]info/app/config.php using “Miner” as its User-Agent string. Using other User-Agent strings to make a download request from the malware’s server will return an invalid response.


Figure 5.0 Network traffic details

The downloaded configuration from the malware’s server, reveals a list of download links where it will download its components.


Figure 6.0 Downloaded configuration file

The malware creates a folder under the %APPDATA% directory using the currently logged on User Name, where it proceeds to download its components from the list in the retrieved configuration file.

After downloading, it creates a copy of itself into the created folder and creates an auto-execute registry entry for persistence.



The malware then terminates process of chrome.exe via the taskkill command.



Afterwards, it re-spawns an instance of chrome.exe by calling it with the following parameters:



By running chrome with the “ — load-extension=” option, the malicious chrome extension components which were downloaded along with another executable is loaded in chrome. The loaded chrome extension, in effect loads an instance of chrome.exe in the background.

Our friends from Cyren Security Lab have documented an analysis of the malicious chrome extension component, which they identified as the component used in this malware campaign to spread the malicious Facebook messages.

The malware then finishes off by running the downloaded Windows executable named updater.exe which further spawns other processes in the system. Based from the behaviour performed by this malware, we identify it as a Downloader component for this malware campaign.


Figure 7.0 Malware process log

By checking the child processes of “updater.exe” with PID:3032, we find the process named miner.exe, which is a crypto malware flagged as Generic.Application.CoinMiner.1



Figure 8.0 Crypto malware process and file details

The crypto malware comes with a configuration file, which helped us identify it as a Monero crypto miner. The configuration also includes the malware author’s miner credentials, which we used in our attribution.


Figure 9.0 Monero miner configuration file

With the crypto malware running in the background, a great deal of CPU resources is exhausted. This behaviour from crypto malwares may cause your system to slow down and may even lead to a BSOD or what we know as the Blue Screen of Death. The continuous excessive use of CPU resources can also do permanent damage to your machine as it may heat up the hardware components.


ATTRIBUTION


From the miner account credentials found in the crypto malware configuration file we are able get a lead on the possible malware actor behind the Facebook message spam campaign.


A quick search through github shows that the same account used for the monero miner has recently forked the xmrig project, which matches the same miner used in this campaign.

PREVENTION AND MITIGATION


To avoid having your system exploited by such malware actors, it is a best practice NOT to click lines from messages that are deemed suspicious, vague or out of context to the user who sent you the message.

Kudos to Maharlito Aquino and Eric Reyata for contribution.

The Cyber Security Philippines CERT (CSP-CERT) can be attributed in analyzing these malwares as it enters the Philippine Cyberspace.

Thanks for reading this article!

Regards!