Since you can install a Chrome Extension directly on the page, the only action the victim had to perform was to click “Add extension”. This page will also ask you to install a Chrome Extension. We noticed several different domains being used during the attack. When using Chrome, you are redirected to a fake YouTube page. Fake YouTube page with Chrome Extension installation Below, we will focus on Chrome as it is clear it was one of the targeted browsers for the spreading mechanism.įor the other browsers, ads were shown and adware was downloaded, read more about this under Landing Pages below. Redirect partyĪfter the Google Docs link is clicked, the user will go through a bunch of redirects, most likely fingerprinting the browser.
#Chrome apps facebook pdf
These were four links created for different victims, but three of them share the same IAM username (ID-34234) even though they were created using different Google Cloud Projects.Īt the time of the attack, none of the URLs being linked from the PDF preview were denylisted by Google. Collecting a bunch of examples, we can see some patterns: One friend changing the access rights of the link could potentially prevent the attack from spreading to the victim’s other friends.Īnother interesting detail is the user who created the file. Looking at how these links spread, the attack reuses the same link for all the victim’s friends. This configuration means that anyone who has the link can actually edit it.
The share settings are an interesting detail about the link created: Clicking the will send us to a page containing details about the PDF file being previewed. The PDF itself is created using PHP with TCPDF 6.2.13 and then uploaded to Google Docs using Google Cloud Services. This link is made by using the preview link of a shared PDF, most likely because it is the quickest way to get a large controlled content area on a legit Google domain with an external link. Google Docs shared PDF previewĬlicking on the link will redirect the user to a URL on. Together with a link created with a URL shortener. The message itself will consist of the first name of the user that gets the message, the word “Video” and one of these emojis selected at random: There are some interesting things in all these steps, so we will take a closer look below.
The conclusions can be broken down into a few steps, because it’s not only about spreading a link, the malware also notifies the attackers about each infection to collect statistics, and enumerates browsers. Also, since the script dynamically decided when to launch the attack, it had to be monitored when the attackers triggered it. There were multiple steps involved trying to figure out what the Javascript payloads did. Spreading mechanismįrans spent quite some time analyzing the JavaScript and trying to figure out how the malware was spreading, which might seem like a simple task but it wasn’t. They decided to jointly write this second part of the analysis, which is going to describe the attack in detail. Frans had a good point, so they started to compare notes and found out that Frans had actually analyzed some of the parts that David hadn’t. At the same time as Kaspersky Lab were analyzing this threat, a few researchers where doing the same, including Frans Rosen, Security Advisor at Detectify.Īfter Frans saw David’s tweet about the blog post, he called David and asked why they were both doing the same job. It’s been a few days since Kaspersky Lab’s blog post about the Multi Platform Facebook malware that was spread through Facebook Messenger.