On June, thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment. Kaspersky Lab researcher Ido Naor and Dani Goland, CEO & founder of Undot, decided to investigate. They quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating its legitimate session and replacing it with a malicious one that captured their entire web traffic. The second stage included a highly sophisticated script that took over victims Facebook and Google Drive accounts. After puzzling the script, they managed to extract the proverbial needle from a haystack: an unknown Facebook vulnerability that allowed an attacker to exploit the notifications functionality. In this talk, Dani and Ido will dive into the bites and bytes of the campaign and explaining how the attackers exploited Facebook to spread the malware. --- Ido Naor Ido is a senior security researcher at the Global Research & Analysis Team (GReAT), Kaspersky Lab. He joined Kaspersky two years ago and is leading the regional research in Israel. Ido specializes in malware analysis, penetration testing and software reverse engineering and has been credited for his work by major enterprises such as: Google, Facebook, Linkedin, Alibaba and more. Aside from research, Ido is a martial arts expert and a father of two daughters. --- Dani Goland Dani is the CEO and founder of Undot, an Israeli-based startup that developed a unified remote-control application to control home appliances. Dani has more than a decade of experience in programming on a variety of frameworks and languages. Aside from managing Undot, Dani is a frequent competitor in Hackathons (programming competitions) and won 1st places at HackTrackTLV 2016 and eBay Hackathon 2015.

1. TAG ME IF YOU CAN
Ido Naor
Sr. Researcher, Kaspersky Lab Tw: @idonaor1
Dani Goland
Founder & CEO, Undot Tw: @danigoland

2. GReAT - Kaspersky Lab Elite Team Of Researchers
Global Research & Analysis Team, Since 2008
Threat Intelligence, research and innovation leadership
Focus: APTs, critical infrastructure threat, banking threats,
sophisticated targeted attacks.
• A decade in security eco
• Manage regional research in
Israel
• ExpertiZ
• Malware analysis
• Reverse Engineering
• Penetration Testing
• HobbiZ
Responsible Disclosure:

3. Undot – Uncovering Ideas
• Founder & CEO, Undot
• ExpertiZ
• Full-Stack Developer
• Entrepreneur
• Data Science Freak
• HobbiZ
Organizing and competing
in Hackathons
Undot
Experts
with
Control It –
Remotes Unified!
~500K downloads
F
r
o
n
t
M
o
b
i
l
e
B
a
c
k
C
l
o
u
d

4. IN THE NEWS…

5. RECAP

7. MENTIONED BY A FRIEND

8. WINDOWS DESIGNATED
• File: comment_27734045.jse
• Language: JScript
• Size: ~5.31 KB
• MD5: 9D3DF2A89FDB7DA40CEB4DE02D605CFA
• SHA1: 6D658331FE6D7F684FEE384A29CE95F561A5C2EA
JScript is Microsoft's dialect of the ECMAScript standard[2] that is used in Microsoft's Internet Explorer.
JScript is implemented as an Active Scripting engine. This means that it can be "plugged in" to OLE Automation
applications that support Active Scripting, such as Internet Explorer, Active Server Pages, and Windows Script Host.[3]
It also means such applications can use multiple Active Scripting languages, e.g., JScript, VBScript or PerlScript.

9. GLIMPSE INTO
THE JSE TROJAN
1) Domain name
2) Msxml2.XMLHTTP
3) ADODB.Stream
4) Wscript.Shell
5) JPG ext?
6) %AppData%
7) Autoit.exe
8) Manifest.json
9) Run.bat
10) Ping.js

10. WHO IS REALLY AMONG US?
/Stats/history/pingjse3462

11. BACKGROUND CHECK
• Emerged: January 2015 on
• Turkish variables and comments in its files
• Threat actor: BePush/Killim
• Innovative techniques to spread malware through social networks
• Favor multi-layered obfuscation, mainly in JavaScript, and utilize
multi-layered URL shorteners, third-party hosting providers and
multi-stage payloads.
• Obfuscate their infrastructure using Cloudflare

12. INITIAL INFECTION

13. DYNAMIC ANALYSIS

14. CHROME EXTENSION AS A MITM

15. ?
A HIDDEN VULNERABILITY

16. THE MISSING PIECE

17. OBFUSCATED DROPPER

18. DEOBFUSCATION

19. ANTI-ANALYSIS
• Debugger;

20. ANTI-ANALYSIS
• Code hashes

21. INITIATING THE CODE CRASH

22. GOOGLE TOKEN HIJACK
• Google URL Shortner
• Google Drive API

23. GOOGLE DRIVE AS A MALWARE HUB

24. VICTIM INFO STEALER
Dropper → Chrome Takeover → Malicious JS → Google
Permissions → Uploading malware to storage → HERE

25. VICTIM INFO STEALER

26. VICTIM INFO STEALER

27. GOOGLE DRIVE PERMISSION MODIFICATION

28. CREATING MALICIOUS CALLERS

29. FACEBOOK TOKEN HIJACK

30. HOW TO FAIL SAFE

31. HOW TO FAIL SAFE

32. VULNERABILITY IN THE WILD
1) Initialize a request to the
comment plugin
2) Get api_key & comment data
3) Create a comment on the
plugin, containing url to Google
Drive
4) Post is now posted – get its ID
5) Create a new comment on the
web platform
6) Inject the ID from the FB plugin
to the web FB comment ID
7) Notification generated
8) FB debug check
9) Set privacy to public
10) Set comment text to null
deleting the traces.
this.commentData["share_id"] =
globalFunction["between"]('"commentIDs":["', '"',
f["responseText"])["split"]("_")[1]; // 400539608410_10153962897128411
post_params = {
"ft_ent_identifier": this["commentData"]["share_id"], ← injection!!
"comment_text": gF["chain"](10)["toLowerCase"](),
"source": 21,
"client_id": Date["now"]() + ":" + Math["floor"](U2e[F](Date["now"](),
1000)),
"session_id": globalFunction["chain"](8)["toLowerCase"](),
"comment_text": "Array of tagged friends"
}
url: "https://www.facebook.com/ufi/add/comment/?dpr=1",
type: "POST",
async: true,
headers: {
"content-type": "application/x-www-form-urlencoded"
}
www.facebook.com/plugins/feedback.php?api_key=<
ID>&href=https://<GOOGLE_DRIVE>/<JSE_FILE>

33. ALL IN ALL

34. QUESTIONS?

35. THANK YOU!
Follow us on Twitter:
@IdoNaor1
@DaniGoland