Research

Facebook stalker application now localized

It seems I’m not doing anything other than write about malware on Facebook, but here goes again. As you have probably read or seen yourself on Facebook, there are quite a few applications pretending to show you a list of people who have viewed your profile. I think the most common one is the “Stalker Application”.

Today I saw something that I haven’t seen before – the applications have changed tactics and have now been localized, meaning the page and message which is distributed is in different languages. In my case the language is Swedish, since I’m from Sweden, and I presume that the worms are also localized in other languages.

As with the other cases we have seen, the user is tricked into executing a JavaScript in their browser; that script then loads another script from another domain. The bad guys use this setup to make it harder for antivirus companies to block these domains. This particular case is pretty funny – because of a poorly configured web server we managed to get a complete list of all the domains used in this scam, and they have now been sent to our analysts so they can be denylisted.

al[CUT].info
ba[CUT]u.info
ba[CUT]o.info
bb[CUT]o.info
bc[CUT]o.info
bd[CUT]o.info
ca[CUT]p.info
da[CUT]p.info
d[CUT]o
la[CUT]i.info
la[CUT]e.info
lb[CUT]i.info
lc[CUT]i.info
ld[CUT]i.info
le[CUT]i.info
lf[CUT]i.info
lg[CUT]i.info
lh[CUT]i.info
ma[CUT]e.info
ma [CUT]f.info
mb[CUT]f.info
mc[CUT]f.info
md[CUT]f.info
mf[CUT]f.info

mg[CUT]f.info

my[CUT]s.info
ta[CUT]o.info

tb[CUT]o.info
tc[CUT]o.info
td[CUT]o.info
td[CUT]o.info
te[CUT]o.info
tf[CUT]o.info
vd[CUT]y.info
ve[CUT]y.info
xe[CUT]t.info
xf[CUT]t.info
yb[CUT]a.info
yc[CUT]a.info
yd[CUT]a.info
ye[CUT]a.info
yf[CUT]a.info
yg[CUT]a.info

Facebook stalker application now localized

Your email address will not be published. Required fields are marked *

 

Reports

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

Subscribe to our weekly e-mails

The hottest research right in your inbox