New Facebook-Distributed Botnet Filmkan Appears to Be from Turkish Actor

Ryan Olson


On January 31, a security researcher named Mohammad Faghani posted an analysis of malware that was being distributed through Facebook posts. Based on the number of “likes” the malware had generated, Faghani estimated that over 100,000 users had been infected with the malware. We have not been able to identify a common name for this malware and have given it the designation “Filmkan” based on domains it uses for command and control.

Based on our analysis, this malware was most likely created by a Turkish actor. The malware contains many comments written in Turkish, the domains used for command and control were registered through a Turkish company and the social network profiles involved in the attack belong to Turkish speakers.  Filmkan is very flexible, giving it more capability than simple interaction with social networks. The overall motivation of this attack is not clear at this time, but the author of Filmkan has successfully assembled a large botnet in a short amount of time.

Filmkan Functionality

While the initial report only contained sparse details, Faghani followed up with additional analysis on February 2, exposing more functionality related to the malware. Our WildFire analysis cloud first picked up samples of this malware on January 22 and thus far we’ve collected 44 distinct samples the display the behavior described by Faghani.

At a high level, this malware consists of four components:

  • Windows Executable Dropper (Based on AutoHotkey)
  • A wget for Windows executable(Legitimate)
  • A malicious Google Chrome Extension
  • Dynamic JavaScript code delivered by the attacker’s server

The initial infection occurs when a user clicks on a link in a Facebook post, which claims to be a pornographic video. After a few seconds the video tells the user they need to download an update for Flash player, which is the initial dropper executable. The attacker hosted the linked executables through Google’s cloud storage at the following URLs:

  • hxxp://storage.googleapis .com /aytackurst/install_flashplayer14x32_x64m
  • hxxp://storage.googleapis .com /aytackurst/install_flashplayer14x32_x63m
  • hxxp://storage.googleapis .com /aytackurst/install_flashplayer14x32_x86m

Filmkan Dropper

The Filmkan dropper has a Flash icon to help make it appear as a legitimate update.

update flash

The author of Filmkan created the dropper using AutoHotkey (AHK), a legitimate tool for creating Windows applications using a custom scripting language. AHK scripts are compiled into binaries that interpret the script code, making them portable to any Windows system. The AHK scripts included in the Filmkan binaries contain many debugging strings written in Turkish. The scripts have the following functionality:

  • Check if Google Chrome is installed on the system
  • If Google Chrome is not installed, install it and add a shortcut to the desktop
  • Copy the dropper binary to Application Data directory as “Chromium.exe”
  • Set a run-key to start Chromium.exe on system start
  • Delete files named chromenet.exe and Chromium_Launcher.exe (Possibly older versions of the dropper)
  • Install a legitimate wget.exe executable from within the binary
  • Check with three command and control servers for updated executables
  • Download an updated executable and replace itself
  • Install a malicious Chrome plug-in containing content downloaded from the command and control server

While the dropper is responsible for the initial installation and updating itself, the remaining functionality is contained in the Filmkan Chrome extension.

Filmkan Chrome Extension

Chrome extensions  allow developers to extend Google’s Chrome browser, typically by adding new functionality. Developers write extensions in JavaScript and HTML, which is typically included in a package along with resources necessary to operate the extension.  The Filmkan dropper retrieves JavaScript using the installed wget.exe program from one of the three defined C2 servers. The dropper saves this JavaScript code as “bg.txt”, which is defined in the installed Chrome extension manifest as a “background” script. This script will run whenever the Chrome browser is open on the system.

The content of the bg.txt file can be changed any time the attacker chooses. The current version of the script contains three primary functions.

The chrome extension closes any tab the user opens that matches the following URLs, effectively preventing the user from discovering or removing the extension.

  • “chrome://extension”
  • “chrome://chrome/extension”
  • “chrome://settings/resetProfileSettings”
  • “opera://extensions/”
  • “browser://tune/”
  • “chrome://help/”

The extension downloads an array of JSON data from hxxp://www.filmver .com/ahk/get.js. The extension uses this data as a blacklist, preventing the browser from loading URLs that contain any of the following strings.

  • avast.com
  • eset.com
  • microsoft.com
  • virusscan.jotti.org
  • jotti.org
  • avg.com
  • kaspersky.com.tr
  • kaspersky.com
  • facebook.com/ajax/webstorage/process_keys.php
  • facebook.com/checkpoint/malware/cr_ext_config
  • facebook.com/checkpoint/malware/cr_ext_log
  • dl.dropboxusercontent.com
  • docs.google.com
  • drive.google.com
  • facebook.com/ajax/follow/unfollow_profile.php
  • vuupc.com
  • mcafee.com
  • googlecode.com
  • akamai.net
  • facebook.com/xti.php
  • .exe
  • exelansdealers.com
  • facebook.com/ajax/profile/removefriendconfirm.php
  • facebook.com/ajax/report/social.php
  • joygame.com
  • senakadir.org
  • yllix.com
  • blogspot
  • .scr
  • hebacanak.xyz
  • milyoncu.xyz
  • ez123.ezgo123.com
  • ezgo123.com
  • deactivate.php

Blocking antivirus and security-related domains is a common tactic malware authors use to prevent users from removing an infection, but many of the domains included in this list are mysterious. JoyGame.com is a Turkish video game website, while exelansdealers.com was previously used to host a similar malicious Chrome extension.

The third primary function of this extension is to download and execute JavaScript code from hxxp://www.filmver .com/ahk/user.php. This function makes the Filmkan extension very flexible, as the attacker can modify the script at any time.

When Faghani first published his analysis this component of the malware was forcing the user’s Facebook account to “like” specific posts on a community page titled Sabır. Some of these posts garnered over 100,000 likes, despite containing very little content.

fb Filmkan

The latest version of the script no longer forces the user to like these posts, instead it causes the user to follow two accounts on Twitter and a third account on Facebook.

Other than all three of these accounts belonging to Turkish individuals, the connection between these accounts and this attack is unclear.  The script also includes a tracking URL hosted by amung.us, which allows the attacker to identify how many users are actively infected with the malware. A snapshot of the current number of infections follows:

online

hxxp:// whos.amung .us/swidget/hcfj8xyq9p94

The attacker frequently updates this tracking URL, most likely to keep track of users who are currently executing the latest malicious extension code.  The full content of the latest script follows.

Protection Against Filmkan

Filmkan does not exploit any software vulnerabilities and thus far has relied on social engineering to infect users. Users should be suspicious of any message indicating that an update for Flash is available in Google Chrome, as Chrome contains an integrated Flash runtime that is updated by Google.

Organizations should block access to the following domains to prevent Filmkan from receiving updates from the attacker. These domains are the primary weakness of Filmkan, as shutting all three of them down simultaneously would remove the attackers access to the botnet.

  • filmver.com
  • pornokan.com
  • neran.net

Thus far, WildFire has automatically identified Filmkan droppers with the following MD5 hashes:

  • 417a4e511b5e545c7ca291bc0cce07ba
  • 5c2fa20538ddeaa51d4926f848077eed
  • 2b7b5e29892e337ab33da34d9c157904
  • 153648a45acce90bfdf025d741551048
  • 1028c910bf1ad2c2c168ca87927063f2
  • f9b19fc9cacaf8aeee52dbe8004b58f7
  • ed216da31992540897d3bb3b2043482f
  • 1fa02f74b4a5aca28aabbd908dfe5726
  • d2c9c770f15093b8ba9f045d99154e50
  • 5dafa69051a4f13b204db38d0ffcad5e
  • 877648fccf8334230c1d601068939003
  • fd34c0f5b3a9cd9c41964a8808ea0f5a
  • 4e56b2d83913d9ad904aef12ded609a6
  • 2c4bc730f6c644adf21c58384340bf2e
  • cdcc132fad2e819e7ab94e5e564e8968
  • 787c710de749b2122a08c907b972f804
  • 90d761bc351107bb17c34787df8d6e1e
  • 6ae4da20732ec857df06d860a669c538
  • 3192a69f3fa8607f65b4182ec21f13dd
  • f1f6b616ce9b4067ce11fc610af2c631
  • 04eaec8ede8bfb00eadbebd9d8d11686
  • c1e0316109febbef60c4d7c44357a5d5
  • a24bab7b2c69672ee6ffc7451f61e495
  • c7fa3651b5f5ec390f9223648aae485b
  • e6d884d39bd4b4cbd1fea96bfa613afd
  • a0740e7317eddd47e535fd71b11874b6
  • 59424fa04bb09030c83c19539a299eec
  • 4908c5c2fcc75330ffd05461bbd207fd
  • abbe325c98aaca9f878c42f0ef4e850e
  • dbabc3c28cf05310051879b938b20e6b
  • df1cf305f3d9dfa38991b20f31468f20
  • ac97ffd114fe251e0fd03436f7caaaf2
  • a2722a389a8adff57cb1b4406f968312
  • c08fd88643b0bebec428b04debfc0762
  • 4d72ce68998aa816b19573b74672b795
  • 060df3a1a3df7da258d674f15b17e7b9
  • 36ad93a8c46de731545bfeb5694b446d
  • 344ea3db8cddf4f6cbe9dbee36850e0e
  • cf693e029b68e01e7585ea5fe446c812
  • d3324773197893bdb796dbacdd4a54ec
  • 4718e54bee474ddb42f230a4326e6678
  • ff4afca6cb9b108111a902d8d4b73301
  • 85c199554b0b4b25516b27f5f2705ec1
  • 1e3d6ddd804e52b3123d295bf57be71f

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS