It is well known that a lot of malware attacks can be distributed using social media. Clicking on nefarious links or opening attachments sent in direct messages are two somewhat common attack vectors. One particular malware group has taken things to a new level, as it uses Facebook’s content delivery network server to hide banking Trojans. This is a very interesting turn of events, although it remains to be seen how the company will respond to this problem.

Facebook CDN is a Malware Distribution Platform

Researchers have come across some very unusual malware activity these past few weeks. Specifically, the way these malicious payloads are distributed has raised a lot of questions. Several campaigns are actively using Facebook’s CDN servers to distribute malware to users all over the world. It turns out these malware types are all banking Trojans hiding on CDN servers used by the social media giant.

It is also believed these same criminals are responsible for having used Dropbox and Google’s cloud storage to distribute similar payloads not too long ago. These trusted services have been getting a lot of attention lately, although not necessarily for the right reasons. When tools like these are used for criminal activity, it is impossible to tell what the final consequences will be. Most people trust Google, Facebook, and Dropbox, and would hardly associate these companies with malware.

By making use of the Facebook CDN servers, criminals will cause a lot of damage with these banking Trojans. Their domain name is trusted by security solutions, which means they will not recognize this malware as such. A custom domain create to host and distribute malware can easily get blacklisted and even taken offline by registrars. Taking Facebook offline for this particular purpose would be rather problematic for obvious reasons

Users are first contacted through a fake email in which they are asked to visit the Facebook CDN where the malware is hosted. These emails are disguised as a communication from local authorities. Considering how the link in the email is not marked as malicious right away, most users will click on it. The assailants upload these banking Trojans in Facebook groups or other public sections and use the aforementioned URL as a way to distribute them through spam email campaigns.

What is rather peculiar is how this attack is only aimed at Brazilian users right now. The Brazilian ecosystem is of keen interest to particular criminals, although it is unknown why this is the case. When a user from a non-targeted region visits the link, the infection process is halted prematurely. This shows that this new campaign is specifically tailored for one purpose only, although it is anybody’s guess as to why Brazil is the target.

According to the first reports, the banking Trojan being distributed is called Squiblydoo. Users who click on an email link will download a ZIP archive containing a PowerShell script. Once they do so, the malware will download in the background and infect one’s computer accordingly. Though it is a rather common method of attack, this particular distribution campaign is something we do not see every day. These spam emails have been delivered to hundreds of thousands of recipients, although it is unclear how many people actually clicked the links in question.