Spyware “CyberDuck” for Facebok advertising business users

Jun 22, 2019kate
Learn more about 360 Total Security

Recently, 360 Security Center detected a type of hacking Trojan for Facebook business users. Such Trojans are spread through downloaders, cracking tools, etc. The affected users are mainly distributed in Russia, Ukraine and other countries.

Regional distribution of the virus

After infecting the user’s machine, the CyberDuck Trojan will steal information such as the account password of the business user who opened the Facebook ADS service.

Technical Analysis

360 Security  Center discovered that the virus is mainly transmitted through the downloader. Since these downloader file descriptions are all “Cyberduck”, we will name this type of Trojan as follows:

Technical Analysis

The software running interface is shown below:

The software running interface

After the download is completed, the program will not exit, but in the background to silently download and execute other virus modules, from the http[:]//www.rulifer.pw/x/seescenicelfx.exe download hacking Trojan to local execution. Seescenicelfx.exe will decrypt a 7z compressed file in memory and extract the help.dll from the %ProgramData%\fb directory. The relevant code logic is as follows:

The relevant code logic

Then load the export function Test() of help.dll: load the export function Test() of help.dll

Help.dll will download update.dll and load its export function Test():

Help.dll will download update.dll and load its export function Test()

Update.dll embeds a dynamic library SharpX.dll written in .NET language, so it will load the .NET runtime into the process before running, and initialize the member functions in the SharpX.AppInstance class for SharpX.dll call:

Update.dll embeds a dynamic library SharpX.dll written in .NET language

After obtaining the browser cookie information, SharpX.dll will create a new thread to execute the DoWorker() function, request the configuration information of the facebook account from the server by forging the https request, and then match the returned data with the information desired by the virus author. The request and the stolen information are shown in the following table:

The request and the stolen information

One thing worth attention is that the virus will finally determine whether the Facebook account has opened the ADS Manager service and binds the credit card information, so as to infer that the virus is mainly for commercial users who customize Facebook advertising activities, when it is determined to belong to such commercial users. it will call BHGetChromePass() to steal the facebook account password, the relevant code logic is as follows:

the relevant code logic

Finally, the collected information is encrypted by AES and sent to the C&C server:

the collected information is encrypted by AES and sent to the C&C server

360 security brain has detected such Trojans, affected users please install 360 Total Security for killing.

360 security brain has detected such Trojans

IoCs:

http[:]//www.rulifer.pw/x/seescenicelfx.exe

http[:]//www.begood.pw/f/update.txt

http[:]//www.seemorebty.com

 

Learn more about 360 Total Security