ITW social engineering attacks against Firefox

Discussion in 'malware problems & news' started by Gullible Jones, Mar 31, 2015.

  1. Gullible Jones

    Gullible Jones Registered Member

    May 16, 2013
    Just stumbled across this on a domain squatting website. What's interesting is, the URL was reached by mistyping the URL for the Raspian Linux distribution - it seems like someone might be targeting Firefox users on Linux. So, Linux geeks, don't get too complacent out there...

    The malware is a (real) Firefox extension, probably similar (if not identical) to the social engineering attack that ships with Metasploit. The site attempts to fool you into installing it, obviously enough. Only one service on VirusTotal detects the URL as malicious. File scanning is inconclusive, it looks like VT has trouble getting the extension to download.

    I've sent the URL to Anubis as well. We'll see what that reports. My guess is man-in-the-browser and remote access, but I would discount escalation to root; local privilege escalation bugs are a dime a dozen on any OS.

    Edit: also worth noting that Noscript made the social engineering popup not work. Obvious enough, but yeah, Javascript from untrusted pages is still a hazard.

    Edit 2: according to Anubis there's also an IE exploit. Maybe some kind of multifunctional exploit kit?
    Last edited: Mar 31, 2015