Account-hijacking Trojan spreads via Facebook messages

Private messages delivering what seems to be an image are spreading like wildfire on Facebook, as the file in question triggers the download of a Trojan that compromises the victims’ computer and Facebook account to spread the malware further.

The infection chain starts like this: the victim sees the message from a friend that simply states “LOL” and includes the “image”:

Unfortunately, the ZIP file in question contains a Java JAR file of the same name that, when run, downloads the actual malware from a remote Dropbox account.

The two aforementioned files are not malicious per se, but the third one is – it’s a Trojan that injects itself into legitimate processes currently running on the victims’ system.

According to Malwarebytes’ Adam Kujawa, it’s still unkown what the Trojan does except compromise the victims’ Facebook account, but if we go by the results on VirusTotal, it could be a variant of the infamous Zusy banking Trojan.

“The origin of the threat is also currently under investigation however some of the text found within the Java file leads us to believe it was developed by someone who speaks Greek,” noted Kujawa.

Users are advised not to open automatically similar files received from Facebook friends, but to ask them first if they were the ones who sent it.

“If they don’t respond or they say “I dunno, I didn’t send that’ then go ahead and suggest your friend run an AV scan and change their Facebook passwords, in that order,” he advises.

The malware affects only computers running Windows, so if you accessed your Facebook account and tried to open the file via your mobile phone or Mac, you’re in the clear.