Research

Facebook stalker application now localized

It seems I’m not doing anything other than write about malware on Facebook, but here goes again. As you have probably read or seen yourself on Facebook, there are quite a few applications pretending to show you a list of people who have viewed your profile. I think the most common one is the “Stalker Application”.

Today I saw something that I haven’t seen before – the applications have changed tactics and have now been localized, meaning the page and message which is distributed is in different languages. In my case the language is Swedish, since I’m from Sweden, and I presume that the worms are also localized in other languages.

As with the other cases we have seen, the user is tricked into executing a JavaScript in their browser; that script then loads another script from another domain. The bad guys use this setup to make it harder for antivirus companies to block these domains. This particular case is pretty funny – because of a poorly configured web server we managed to get a complete list of all the domains used in this scam, and they have now been sent to our analysts so they can be denylisted.

al[CUT].info
ba[CUT]u.info
ba[CUT]o.info
bb[CUT]o.info
bc[CUT]o.info
bd[CUT]o.info
ca[CUT]p.info
da[CUT]p.info
d[CUT]o
la[CUT]i.info
la[CUT]e.info
lb[CUT]i.info
lc[CUT]i.info
ld[CUT]i.info
le[CUT]i.info
lf[CUT]i.info
lg[CUT]i.info
lh[CUT]i.info
ma[CUT]e.info
ma [CUT]f.info
mb[CUT]f.info
mc[CUT]f.info
md[CUT]f.info
mf[CUT]f.info

mg[CUT]f.info

my[CUT]s.info
ta[CUT]o.info

tb[CUT]o.info
tc[CUT]o.info
td[CUT]o.info
td[CUT]o.info
te[CUT]o.info
tf[CUT]o.info
vd[CUT]y.info
ve[CUT]y.info
xe[CUT]t.info
xf[CUT]t.info
yb[CUT]a.info
yc[CUT]a.info
yd[CUT]a.info
ye[CUT]a.info
yf[CUT]a.info
yg[CUT]a.info

Facebook stalker application now localized

Your email address will not be published. Required fields are marked *

 

Reports

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox