Worm 2.0, or LilyJade in action

It is quite rare to analyze a malicious file written in the form of a cross-platform browser plugin. It is, however, even rarer to come across plugins created using cross-browser engines. In this post, we will look into a Facebook worm that was written using the Crossrider system – a system still in beta testing.

Image source:

How it all began …

While we were monitoring the activity of a certain botnet the other day, we detected a strange installer being downloaded. It established a connection with the site, had the application ID 4761, and installed applications into the PROGRAM FILES folder under the name “FACEBOOK LILY SYSTEM”. The Crossrider system is intended for writing unified plugins for Internet Explorer (version 7 onwards), Mozilla Firefox 3.5 and Google Chrome. In this malicious program, the plugin for Google Chrome is the easiest to analyze – it consists of just two lines:

The content of the file extension.js installed into the plugin folder in Google Chrome

The first line loads the regular iQuery functions, and the second loads the main body of the malicious program.

The first line loads the regular iQuery functions, and the second loads the main body of the malicious program.

This malicious program’s main functionality is to spoof ad modules on Yahoo, YouTube, Bing/MSN, AOL, Google and Facebook. Besides, its payload includes a proliferation mechanism that works via Facebook.

Spreading the seeds

The malicious program spreads by publishing spam messages from compromised accounts. This functionality is conveyed by the following code:

The self-propagation code in the malicious program

The links in the spam messages lead to compromised sites, where hidden iframes redirect users to the NuclearPack exploit kit. This kit includes the source installer for this malicious program as well as browser plugins.

Fragment of code from a compromised site

After undertaking a brief analysis of the C&C server, we have also tracked down someone selling this malicious program online; the software was put up for sale on hacking forums just yesterday. The malware was named LilyJade by its creator. The price is $1000; an extra $500 is charged for the source installer.

LilyJade ad on a hacking forum


This malicious program is a an excellent example of Malware 2.0-class programs based on modern web technologies, using social networks to propagate themselves and generating illegal incomes for their owners by spoofing various services.

On their site, Crossrider’s creators announce that API support currently available for Facebook will soon become available for Twitter. Can’t wait for that.

Worm 2.0, or LilyJade in action

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox