* Disclosure: I used to work for Facebook's security team and focused on threats that impacted users on the platform. *<p>The post outlines in some detail a common attack done by some actors known as BePush/Killim. I made a request for help in fighting these clowns months ago on a private security working group. Here's the post below which outlines a good amount of detail about the hacks and motives. If you are interested in tracking these actors yourself, it's pretty easy once you find one of their command and control servers.<p>Example: <a href="https://www.passivetotal.org/passive/userexperiencestatics.net" rel="nofollow">https://www.passivetotal.org/passive/userexperiencestatics.n...</a><p>From there, we can see the actors are using Cloudflare to obfuscate their infrastructure, but we can make a pivot based on the WhosAmongUs IDs (dsafagegg2 [1] and dsafagegg [2]) in order to find more websites owned by these guys. It's a rats nest that extends to hundreds of domains registered weekly. Servers are typically hosted in places where legal action is difficult meaning the attacks seldom stop or go down completely.<p><pre><code> [1] https://www.passivetotal.org/trackers/WhosAmungUsId/dsafagegg2
[2] https://www.passivetotal.org/trackers/WhosAmungUsId/dsafagegg
</code></pre>
-----------------------------------------------<p>As promised, below is a quick high-level summary of the malware outlined in the subject. We've been dealing with the malware for months and while some would call is spam, we consider it malware simply because any of the executables or Chrome extensions could be changed to steal passwords, credit cards or every document off a system. We welcome any help in dealing with these actors and would also be interested in new ways to combat malicious extensions, both Chrome and Firefox as those are only increasing in usage.<p>If you would like more information on the technical details of the binaries, extensions or other loaders, feel free to shoot me a message. If there's enough interest, I will just spam the list, but would prefer to keep this to the higher level points, so others gain a better understanding of the threat.<p>-= Summary =-<p>BePush is a set of Turkish-based actors who use innovative techniques to spread malicious code and spam through social networking sites and ad-based networks. Those involved in the development of BePush malware are constantly adjusting their TTPs to account for changes in detection or disruption. Actors favor multiple levels of obfuscation through the use of short-url redirectors, third-party hosting providers and multi-stage payloads. Despite high infection rates, local law enforcement has yet to take an interest in pursuing those actors involved.<p>-= Infection Process =-<p>Based on our logs, primary infection processes tend to occur through direct traffic, followed by Facebook and various ad providers. Shortened URL links are shared among users which typically traverse through a series of redirects to a landing page mimicking Facebook infrastructure and using porn as a lure to install a plug-in. Depending on the attacker behavior, payloads may be delivered in the form of a Google Chrome extension (hosted within the store) or through an executable (likely AutoHotkey, but could be Pyinstaller based) that later replaces Chrome with a version of Chromium with their malicious extension.<p>Once installed, malicious code will make use of the Facebook Graph API in order to make requests/posts on behalf of the infected user using a stolen access token. In order to establish a high infection count, the malicious code will often create pages with malicious links, post statuses/comments to the user's friends and spam within certain application pages. Once the spreading routine completes, the process generally begins again with the infected user's friends.<p>-= Motives and Capabilities =-<p>It appears the primary motivation for the BePush actors is the money gained through the sale of Facebook likes, followers or various ad-network and affiliate partners. In some cases, Facebook observed BePush actors including a bundled bitcoin miner, but it never appeared to gain much popularity.<p>From a capabilities perspective, actors involved with BePush appear to pay attention to how their code is detected. When numbers begin to dwindle, changes to the code or 3rd-party providers are made. Actors demonstrate a level of understanding in .Net programming, Python, JavaScript and techniques used to detect spam. We have also observed the actors repurposing browser exploits, but we never saw these used against users.<p>-= Third-Party Provider Usage =-<p>BePush favors the use of free and open infrastructure in order to keep their campaigns alive long enough to get a strong infection foothold. The following providers have been observed in some capacity:<p><pre><code> - Amazon AWS - Used for hosting content
- Dropbox - Used to host binaries
- Box.com (http://box.com/) - Used to host binaries
- Bitly - Used for redirection
- Tinyurl - Used for redirection
- Godaddy - Used for redirection
- WhosAmungUs - Used for campaign tracking
- Stellar - Used for bitcoin wallet hosting
- Imgur - Used for redirection
- Dot.tk - Used for redirection
- Google - Used for redirection, Chrome extensions and binary hosting
- CloudFlare - Used to obfuscate real infrastructure
- Microsoft Azure - Used to host binaries
</code></pre>
-= Detection and Research =-<p>BePush has a limited set of providers they prefer to use and through industry relationships, we have been able to put pressure on the attackers. Here are a couple items we noticed when doing disruption work that helped in making a larger impact against the group.<p>Using passive DNS data to identify other domains sitting on the same IP address (these guys don't use a lot of unique servers)
Use ESET (<i>Facebook</i>) or Microsoft (<i>Kilim</i>) AV signatures to identify new binaries being used
Polling whos.amung.us (<a href="http://whos.amung.us/" rel="nofollow">http://whos.amung.us/</a>) tracking pixels in order to identify/gauge recent campaigns
Reaching out to 3rd-parties with domain and hash combination for takedown<p>-= Reference Hashes and Domains =-<p><pre><code> www[.]filmgetir[.]com
https://www.virustotal.com/en/file/9e4484240df6e891b2a07c1ff2345e0864dd8b54e005c58388c6556cdc7cc120/analysis/
www[.]kingtr[.]click
https://www.virustotal.com/en/file/9e4484240df6e891b2a07c1ff2345e0864dd8b54e005c58388c6556cdc7cc120/analysis/
www[.]pornokan[.]com
https://www.virustotal.com/en/file/c5eeef4da2c64e8633b1f00745fecb0b692be27d4b615df086201754b07ebe60/analysis/
https://www.virustotal.com/en/file/3566452da48ba0fa31b11deae561b4d5f2a1385e83fd5537a021e75b649664b6/analysis/
https://www.virustotal.com/en/file/1a0163780f07aeaafd9e94fbe628b3f354b25afbec1f7c6e6e401cc7c06d909a/analysis/
https://www.virustotal.com/en/file/b216915643628834acd60e7ae9647e51baca636d8b05ea66857d40c9d04172a8/analysis/
https://www.virustotal.com/en/file/80d9d1df0d859fe6759bba7077be1a15eea477774c91e789e9d5988f19f0a023/analysis/
https://www.virustotal.com/en/file/940bc772a2e301e15a326e667a318942dd840149afa4031245dd125c645330ab/analysis/</code></pre>