Last month security researchers discovered Facebook password stealer malware with njRat. This month we got another malware which claims that it can target a given profile and perform DDoS. But it actually a password stealer and it targets the Turkish users.
Static Analysis of the sample (code analysis)
File Type: 32-Bit ExeSize: 845824 Byte(s)
Figure 1 CompilerDetect -> .NET
The malware is compiled using .Net and we started to work on the strings and code analysis of this sample. When we looked in to the strings, we found very interesting details:
· 0000000CCA0D 0000004CE60D 0 Account Close
· 0000000CCA29 0000004CE629 0 CheckBox3
· 0000000CCA63 0000004CE663 0 ProgressBar1
· 0000000CCA7D 0000004CE67D 0 Label4
· 0000000CCADF 0000004CE6DF 0 $this.BackgroundImage
· 0000000CCB0B 0000004CE70B 0 $this.Icon
· 0000000CCB21 0000004CE721 0 FACEBOOK
· 0000000CCB33 0000004CE733 0 FACEBOOK KAPATMA 2017
· 0000000CCB5F 0000004CE75F 0 Login Successful Account will be closed within 5 minutes.
· 0000000CCBD3 0000004CE7D3 0 furkanbabalog(at)gmail.com
· 0000000CCC03 0000004CE803 0 smtp.gmail.com
· 0000000CCC21 0000004CE821 0 sanane123
· 0000000CCC35 0000004CE835 0 Facebook_Kapatma_2017.Resources
· 0000000CDB66 0000004D2166 0 VS_VERSION_INFO
· 0000000CDBC2 0000004D21C2 0 VarFileInfo
· 0000000CDBE2 0000004D21E2 0 Translation
· 0000000CDC06 0000004D2206 0 StringFileInfo
· 0000000CDC2A 0000004D222A 0 000004b0
· 0000000CDC42 0000004D2242 0 FileDescription
· 0000000CDC64 0000004D2264 0 Facebook Kapatma 2017
· 0000000CDC96 0000004D2296 0 FileVersion
· 0000000CDCB0 0000004D22B0 0 220.127.116.11
· 0000000CDCC6 0000004D22C6 0 InternalName
· 0000000CDCE0 0000004D22E0 0 Facebook Kapatma 2017.exe
File description, resource details and email credentials (highlighted in red colours) are found inside the sample. Using this credential, we tried to login and stop the victim. But Gmail stops to verify that device isn’t recognise. It probably place holder account for hacker.
Figure 2 Gmail security ask for verification
File resources showing image as background which appears like hackers in movie posters.
Figure 3 Background Image
|Figure 4 Facebook Kapatma|
‘Kapatma’ is a Turkish word and it means ‘close down’. The above image is the detail of the classes found in the code. Inside the code we find input details as in the checkbox and label.
The purpose is to collect the Facebook credentials to login in the tool and mentioned url will be the profile to be attacked. Let see how the collected details will be transferred.
The above code snippet shows that the collected credentials are send us email by login to the given gmail account and sent the detail to same account (i.e.) from and to address are same email address only.
Figure 5 GUI of the fake tool
We entered random text inside the text box, selected all the boxes. Once we clicked the button, message box appears as login successful account will be closed in 5 minutes.
Figure 6 Login successful message box
No any file traces and registry traces are added after the execution of this malware.
We are seeing this emerging trend as Facebook hacking tools and DDoS tools which actually steals the tool user credentials and not the given target. It is high time to educate the user that these tools are fake tools - password stealer and not a hack tool or crack tool. In this case, it targets Turkish people and we may expect these kind of tools to other part of the world.