Research

Facebook stalker application now localized

It seems I’m not doing anything other than write about malware on Facebook, but here goes again. As you have probably read or seen yourself on Facebook, there are quite a few applications pretending to show you a list of people who have viewed your profile. I think the most common one is the “Stalker Application”.

Today I saw something that I haven’t seen before – the applications have changed tactics and have now been localized, meaning the page and message which is distributed is in different languages. In my case the language is Swedish, since I’m from Sweden, and I presume that the worms are also localized in other languages.

As with the other cases we have seen, the user is tricked into executing a JavaScript in their browser; that script then loads another script from another domain. The bad guys use this setup to make it harder for antivirus companies to block these domains. This particular case is pretty funny – because of a poorly configured web server we managed to get a complete list of all the domains used in this scam, and they have now been sent to our analysts so they can be denylisted.

al[CUT].info
ba[CUT]u.info
ba[CUT]o.info
bb[CUT]o.info
bc[CUT]o.info
bd[CUT]o.info
ca[CUT]p.info
da[CUT]p.info
d[CUT]o
la[CUT]i.info
la[CUT]e.info
lb[CUT]i.info
lc[CUT]i.info
ld[CUT]i.info
le[CUT]i.info
lf[CUT]i.info
lg[CUT]i.info
lh[CUT]i.info
ma[CUT]e.info
ma [CUT]f.info
mb[CUT]f.info
mc[CUT]f.info
md[CUT]f.info
mf[CUT]f.info

mg[CUT]f.info

my[CUT]s.info
ta[CUT]o.info

tb[CUT]o.info
tc[CUT]o.info
td[CUT]o.info
td[CUT]o.info
te[CUT]o.info
tf[CUT]o.info
vd[CUT]y.info
ve[CUT]y.info
xe[CUT]t.info
xf[CUT]t.info
yb[CUT]a.info
yc[CUT]a.info
yd[CUT]a.info
ye[CUT]a.info
yf[CUT]a.info
yg[CUT]a.info

Facebook stalker application now localized

Your email address will not be published. Required fields are marked *

 

Reports

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox