I was tricked on Facebook into downloading an obfuscated script

  • I got a notification on Facebook: "(a friend of mine) mentioned you in a comment". However, when I clicked it, Firefox tried to download the following file:

    comment_24016875.jse

    This is an obfuscated script which seems to download an executable (autoit.exe) and run it.

    This is the part I managed to deobfuscate:

    ['Msxml2.XMLhttp', 'onreadystatechange', 'readyState', 'status', 'ADODB.Stream', 'open',
     'type', 'write', 'position', 'read', 'saveToFile', 'close', 'GET', 'send',
     'Scripting.FileSystemObject', 'WScript.Shell', 'Shell.Application', '%APPDATA%\\',
     'ExpandEnvironmentStrings', 'Mozila', 'https://www.google.com',
     'http://userexperiencestatics.net/ext/Autoit.jpg',   '\\autoit.exe',
     'http://userexperiencestatics.net/ext/bg.jpg',       '\\bg.js',
     'http://userexperiencestatics.net/ext/ekl.jpg',      '\\ekl.au3',
     'http://userexperiencestatics.net/ext/ff.jpg',       '\\ff.zip',
     'http://userexperiencestatics.net/ext/force.jpg',    '\\force.au3',
     'http://userexperiencestatics.net/ext/sabit.jpg',    '\\sabit.au3',
     'http://userexperiencestatics.net/ext/manifest.jpg', '\\manifest.json',
     'http://userexperiencestatics.net/ext/run.jpg',      '\\run.bat',
     'http://userexperiencestatics.net/ext/up.jpg',       '\\up.au3',
     'http://whos.amung.us/pingjs/?k=pingjse346',         '\\ping.js',
     'http://whos.amung.us/pingjs/?k=pingjse3462',        '\\ping2.js', '']
    

    Is this an exploit on Facebook? Is it possible that my friend got a virus which targets their contacts by tagging them on malicious links? Should I report this to Facebook? If so, how?

    Is that link something you re-uploaded or the actual link you were sent? I ask because I would like to get the original link taken down.

    That's the original link.

    Well I hope that didn't autorun, because I wasn't expecting my browser to download that when I clicked the link.

    I do not believe your friend was targetted. You cannot control the content of noticfications. If anything, facebook itself was exploited with a completely fraudulent notification.

    Question from the peanut gallery: Would a reasonable anti-virus package (eg, Norton) have caught this?

    I'm dumb but you mean you clicked on the FB notification and *that* notification link got you download the malware or you clicked on whatever link/post your friend tagged you in?

    I think the malware is incomplete because it only partially succeded to infect the server, maybe some third-party tool blocked some parts of the malware?

  • This is a typical obfuscated JavaScript malware which targets the Windows Script Host to download the rest of the payload. In this case, it downloads what appears to be mainly a Chrome Extension (manifest.json and bg.js), the autoit Windows executable, and some autoit scripts which install them. All of these files are named with .jpg extensions on the (likely-compromised) server they are hosted, to be less-conspicuous.

    The malware appears to be partially incomplete or otherwise underdeveloped or perhaps based off some other malware (quality is very low). Many of the autoit scripts don't actually do anything, and what appears to be a ZIP meant to contain a Firefox extension is actually empty. The autoit scripts are a ton of includes combined into a single file, but only one (ekl) actually has a payload at the end.

    The one active autoit script which runs on infection replaces the Chrome, IE, and possibly other browser shortcuts with a shortcut to Chrome with the necessary arguments to run the malicious Chrome extension.

    The Chrome extension is mainly how this malware is being propagated. It does some nasty things like blacklisting antivirus software domains, and sending Facebook messages automatically. Actually there was a webservice back end at http://appcdn.co/datajs serving some scripts which would be injected on any page a user visited based on the URL currently being viewed, which was how the Facebook messages were being posted. This service is now offline, likely taken down.

    Is this an exploit on Facebook?

    Not exactly, more-like abuse of Facebook. Facebook's code hasn't been exploited, your friend just has an infected browser phishing their contacts on their behalf.

    Is it possible that my friend got a virus which targets their contacts by tagging them on malicious links?

    Yep, that's exactly how this malware is spreading itself.

    Should I report this to Facebook? If so, how?

    Yes, see How to Report Things in the Facebook help center.

    Getting the following URL's taken offline by contacting their hosts would also be good.

    http://userexperiencestatics.net/ext/Autoit.jpg
    http://userexperiencestatics.net/ext/bg.jpg
    http://userexperiencestatics.net/ext/ekl.jpg
    http://userexperiencestatics.net/ext/ff.jpg
    http://userexperiencestatics.net/ext/force.jpg
    http://userexperiencestatics.net/ext/sabit.jpg
    http://userexperiencestatics.net/ext/manifest.jpg
    http://userexperiencestatics.net/ext/run.jpg
    http://userexperiencestatics.net/ext/up.jpg
    http://whos.amung.us/pingjs/?k=pingjse346
    http://whos.amung.us/pingjs/?k=pingjse3462
    http://appcdn.co/datajs
    

    Unfortunately, CloudFlare still has not taken the userexperiencestatics.net URL's down though I contacted then shortly after posting this answer, and I don't know who is actually hosting these files. CloudFlare just emailed me to say they restricted access to the files, and says they will notify the host.

    UPDATE:

    After I and likely others reported the .jse URL to Google, they appear to have taken down the file. If you find any more copies, those should also be reported. It seems people have been receiving the files from numerous sources.

    MORE INFO:

    This malware and post is getting a lot of attention, so I'll add some more info to address people's questions:

    Will this file automatically run when downloaded?

    Probably not unless you have configured your browser to do so. It is meant to trick you into opening it.

    Can it infect my phone, or non-Windows computer.

    As far as I know, Windows is the only OS which can run this malware. As I mentioned, it uses the Windows Script Host. I don't believe even Windows phone is vulnerable, though I don't know much about Windows phone.

    UPDATE ON RANSOMWARE:

    Previously it was assumed the autoit scripts contained ransomware, however after further inspection this appears not to be the case. There is just a bunch of unused crypto function obscuring the actual payload, which I've mostly deobfuscated to this.

    UPDATE ON CHROME EXTENSION:

    The unpacked Chrome extension code can be viewed here. Details on what it did integrated above.

    UPDATE FOR JSE SCRIPT:

    My de-obfuscated comment_24016875.jse script can be viewed here.

    I've reported the `userexperiencestatics.net` URL to Google and MyWOT. The `whos.amung.us` URL appears to simply be some form of analytics.

    @NathanOsman Yep, I reported the `.jse` file to Google earlier, and it appears to have been taken down. I reported the `userexperiencestatics.net` URL's to CloudFlare, but no results yet.

    The `.jpg` files are actually PE executable files with the incorrect file extension. They need to be taken down too.

    @NathanOsman Well, one is. Others are JavaScript, autoit scripts, and JSON.

    What looks like Facebook's fault to me, the script was downloaded for me when I clicked a link I received from Facebook to my mail (https://facebook.com/l.php?u=https%3A%2F%2Fdoc.google.com…) even though the post itself was deleted by then. I believe that their service was exploited to pass an external URl as a direct link to a comment. This redirect service has been criticized before: http://www.codehesive.com/index.php/archive/facebook-privacy-and-the-mystery-of-l-php/

    @AlexanderO'Mara Could you incorporate that this was indeed an XXE vulnerability in facebooks code, since the link to the malware was not just posted as a comment, but actually sent by facebook to private email accounts ?

    @Falco Sure, but first could you clarify how you know this happened? I haven't been able to find evidence of it, but I also did not receive one of these email.

    Re: "The malware appears to be partially incomplete": The author of the malware may not have very high coding standards: from your description, it sounds like a lot of copy-and-pasting happened, or a lot of starting various angles and then discarding them, with no cleanup afterward once (some) stuff was working.

    I did receive this email

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM