Installation
This threat is installed as fbinstupd.exe after being dropped and run by TrojanDropper:Win32/Febipos.A.
In the wild, we have seen Trojan:Win32/Febipos.gen!A bundled with other files, including inside archive executables, for example:
- 1.crx - Trojan:JS/Febipos.A
- 2.xpi - Trojan:JS/Febipos.A
- fbinstupd.exe - Trojan:Win32/Febipos.gen!A
- lkaseoihcaig.exe - Trojan:JS/Febipos.A
- sqlite3.dll - Clean
Trojan:Win32/Febipos.gen!A installs the following browser extensions/addons that we detect as Trojan:JS/Febipos.A:
- 1.crx - for the Chrome browser
- 2.xpi - for the Firefox browser
This threat may create pop-up messages as it installs the malicious browser extensions. The messages can change and may be in different languages. They may look like:
Chrome browser
If the Chrome browser is installed on your computer Trojan:Win32/Febipos.gen!A creates the folder %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\<id folder>\<version>_0\. <id folder> is a folder that looks like the id of the browser extension, for example ckfnanklnkjaogdlpidhkpegbabjglfn. <version> is the version of the malicious browser extension, for example: 6.0.0.
It then installs the following files in that folder:
- begin.js - Trojan:JS/Febipos.A
- chrome.manifest
- icon.PNG
- icon128.png
- icon16.png
- icon48.png
- manifest.json
- remove.js
It then modifies %LOCALAPPDATA%\Google\Chrome\User Data\Default\Preferences to add the malicious browser extension Trojan:JS/Febipos.A.
The installed malicious browser extension can be seen in the Chrome extension page. Below are some examples:
Trojan:Win32/Febipos.gen!A may also run the file lkaseoihcaig.exe. This is a self-extracting archive for the Trojan:JS/Febipos.A browser extension.
Firefox browser
If the Firefox browser is installed on your computer, the file 2.xpi will be installed and copied to %APPDATA%\Mozilla\Firefox\Profiles\<default profile>\extensions\<add-on ID>.xpi.
<default profile> is the default profile that was set by the Firefox browser, for example %APPDATA%\Mozilla\Firefox\Profiles\90z7xh3m.default\.
<add-on ID> is the ID of the browser add-on. Trojan:Win32/Febipos.gen!A may use the following ID:
- sqlmoz@facebook.com
- hinaescapeone@facebook.com
In this example, the malicious browser add-on Trojan:JS/Febipos.A will be installed as:
- %APPDATA%\Mozilla\Firefox\Profiles\%default profile%\extensions\sqlmoz@facebook.com.xpi
- %APPDATA%\Mozilla\Firefox\Profiles\%default profile%\extensions\chinaescapeone@facebook.com.xpi
Below is an example of the add-on in Firefox:
Payload
Trojan:Win32/Febipos.gen!A can connect to the website http://whos.amung.us/<removed>/okinstallchi.pnh for the purpose of counting the number of infections.
Analysis by Jonathan San Jose
