NEWS FROM THE LAB - Wednesday, August 7, 2013

On Fake "F-Secure Security Pack" Malicious Browser Extension Posted by Antti @ 09:19 GMT

We have been following a malicious browser extension that claims to have been developed by various different software companies.

The extension installs itself into the browser and makes posts to social media sites such as Twitter, Facebook and Google+ on the user's behalf. One of the variants installs itself as "F-Secure Security Pack" — and trust us — it's definitely not coming from us.

The installer for this malware is commonly a self-extracting Winrar executable, although samples come packed in various other ways as well. We can take a peek at the contents of one of the samples:

Contents of malware installer

The contents give a hint to what the malware installer contains: an extension for both Firefox and Chrome (the .xpi and .crx files).

The executables for this malware are signed using a certificate assigned to a company called "VIDEO TECH PRODUCOES LTDA":

Certificate information

It's unclear at this point if the certificate has been stolen or if there is some other connection between the company and the malware samples.

The installer registers an extension with the name of "F-Secure Security Pack" for Chrome:


The same happens for the Firefox browser, with slightly different registration details:


Depending on the targeted region, the malware uses different brands as the name of the malicious extension. For example, we've seen "Chrome Service Pack" for China, Dr. Web for France and Kingsoft for Brazil:




The extension itself is quite simple. It fetches an update from a command and control server and uses the information in this update to post to different social media sites. The comments in the source code are in Portuguese, giving also some hints to the origin of the malware:


Here's an example of the update information the malware fetches from the command and control servers for Brazilian users:


One of the settings automatically retweets a message. This setting was not enabled at the time of writing, but the message to be retweeted is still visible. We can see that this particular message has over 5000 retweets:


F-Secure detects this malware as Trojan.FBSuper or various other heuristic detection names, depending on the variant.

SHA-1: 6287b03f038545a668ba20df773f6599c1eb45a2