Same old song and dance - As you are browsing through your news-feed a extremely enticing post pops up (obviously tailored that way to gain views and further the spread) and promises you a preview of a raunchy porn video. Not all of us jump at the chance to view porn - least of all on Facebook, but 110,000 users in 2 days did and got themselves cyber herpes.

According to Seclists.org, when you click on it to view it will eventually stop and ask you to download a (fake) flash player to continue the preview. The fake flash player is the downloader of the actual malware.



Now called "Magnet" by Seclists.org, the malware gets more visibility to the potential victims as it tags the friends of the victim in a the malicious post. In this case, the tag may be seen by friends of the victim's friends as well, which leads to a larger number of potential victims. This will speed up the malware propagation.

Once installed on a Windows PC, the malware collects the victim's data and tries to communicate with the server behind the filmver.com and pornokan.com domains for more instructions.

Faghani notes that the malicious file drops the chromium.exe, wget.exe, arsiv.exe and verclsid.exe executable files. In general, Chromium.exe is a generic dropper that probably downloads more malware to install, such as the keylogger, once it's running.

Source: The Hacker News