In a previous blog post we discussed Trojan:JS/Febipos.A, a malicious browser extension that targets the Facebook profiles of Google Chrome and Mozilla Firefox users.  We recently came across a new Febipos sample that was specifically developed for Internet Explorer - we detect it as Trojan:Win32/Febipos.B!dll.

This trojan is a browser helper object that loads a JavaScript to Internet Explorer. We detect the loaded JavaScript as Trojan:JS/Febipos.E. The plugin tries to look legitimate by calling itself MicrosoftSecurityPlugin when viewed in Internet Explorer add-ons.

Internet Explorer add-ons 

Figure 1: The plugin tries to look legitimate in Internet Explorer add-ons

Spamming links on Facebook

When installed and loaded successfully Trojan:Win32/Febipos.B!dll will attempt to load a configuration file that it downloads from supbr.info/<removed>.php. It can then access a logged in Facebook account to:

  • Like a page
  • Share
  • Post
  • Join a group
  • Invite friends to a group
  • Chat with your friends
  • Comment on a post

We have seen it post the following messages in Portuguese on the wall of a logged in Facebook account. It can also tag several of the affected user’s friends:

  • Encontrei um vídeo no Youtube ensinando a ganhar $$ na Internet pelo Google! Acho que vale a pena
    I found a video on Youtube teaching how to earn $$ on the Internet through Google! I think it’s worth it.
  • Nem eu acredito, mas é verdade.
    Even I don’t believe it, but it’s true.
  • Dificuldades para PERDER PESO? Com ULTRA SLIM você emagrece sem sofrer!
    Struggling to lose weight? With ULTRA SLIM you lose weight without suffering!
  • PERCA PESO, GANHE SAÚDE E AUTO-ESTIMA. É DEPENDE DE VOCÊ.
    Lose weight, gain in health and self-steem. It’s only up to you.
  • Encontrei um vídeo no Youtube ensinando a ganhar $$ na Internet pelo Google!
    I found a video on Youtube teaching how to earn $$ on the Internet through Google!
  • Oportunidade: Google paga R$160 por hora para trabalhar em Casa!
    Opportunity: Google pays R$ 160 per hour to work from home!
  • Ganhe R$15.000 por mês trabalhando em Casa na Internet. Acesse o Link e saiba como!
    Earn R$15,000 per month working from home on the Internet. Click on the link and find out how!

One of the following URLs is also included in the message:

  • dl.dropboxusercontent.com/<removed>/aan57i7rfpx6qo0/index.html
  • dl.dropboxusercontent.com/<removed>/kzsdfkep25dz1pi/index.html
  • dl.dropboxusercontent.com/<removed>/inxtfvhqti5hvvr/index.html

It may also use one of the following images:

An image used by Trojan:Win32/Febipos.B!dll Another image used by Trojan:Win32/Febipos.B!dll

Figure 2: An example of the images used by Trojan:Win32/Febipos.B!dll in Facebook spam

Here is an example of the Facebook post: 

An example Trojan:Win32/Febipos.B!dll Facebook post

Figure 3: An example Trojan:Win32/Febipos.B!dll Facebook post

When someone clicks on the link in the message, they are redirected to mprptrk.com/<removed>/v294v294e4p233r224w2t254/. This site will then redirect again to one of the following URLs:

  • www.ultraslimsystem.com.br/<removed>/
  • gazetadaweb.com/<removed>/

Installation

We have seen Trojan:Win32/Febipos.B!dll being dropped and loaded by Trojan:Win32/Febipos.B with the path and filename %appdata%\WService.dll. It is loaded using the legitimate Windows application named regsvr32.exe. This application is used to register dynamic-link libraries and ActiveX controls in the registry.

The trojan creates the following registry entries to register itself as a browser helper object:

  • HKEY_CLASSES_ROOT\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
    (default) = "MicrosoftSecurityPlugin"
  • HKEY_CLASSES_ROOT\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}\InProcServer32
    (default) = "%appdata%\WService.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
    (default) = "MicrosoftSecurityPlugin"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}\InProcServer32
    (default) = "%appdata%\WService.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3543619C-D563-43f7-95EA-4DA7E1CC396A}

It will also create the following registry entry to ensure it is only loaded in Internet Explorer and not in Windows Explorer:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
    NoExplorer = dword:00000001

The following registries entries are also created to disable some Internet Explorer notifications:

  • This will disable the IE notification to the user that the add-on is ready to use
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext
    IgnoreFrameApprovalCheck = dword:00000001
  • This will disable the add-on performance IE notifications
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext
    DisableAddonLoadTimePerformanceNotifications = dword:00000001

All of the above information was found at the time of our analysis; however, these websites can change at any time. In any case, we always recommend you keep your security products up-to-date with the latest definitions to help reduce your chance of infection.

Jonathan San Jose
MMPC

Sha1s:

5cbd9c1e870b09fdd4b67e7610acbea8dddee9bd - Trojan:Win32/Febipos.B
361546e95a79b96a15e15ab82b1849f68b7381b2 - Trojan:Win32/Febipos.B!dll
bad556fb373e14f7041b3361ca450b2156a5ecda - Trojan:JS/Febipos.E