Backdoor Trojan pushed via versatile Facebook campaign

Thanks to its social nature, Facebook is one of the preferred tools of cyber crooks looking to scam users and peddle malware.

Microsoft recently spotted a considerably versatile social engineering campaign used to trick Facebook users into installing a particularly nasty backdoor Trojan with keylogging capabilities. The messages used to lure in users vary, but they all lead to fake YouTube pages:

Once there, the user is urged to download a new version of “Video Embed ActiveX Object” in order to play the video file.

Unfortunately, the offered setup.exe file is the Caphaw Trojan, which bypasses firewalls, installs an FTP and a proxy server and a keylogger on the affected machine.

“It also has built-in remote desktop functionality based on the open source VNC project,” says Microsoft’s Mihai Calota. “We received a report that a user found this in his computer and also discovered that money had been transferred from his bank account by an unknown party. The keylogging component, coupled with the remote desktop functionality, makes it entirely possible for this to have happened.”

He advises all users to update their AV software and scan their computers, and to change the passwords on all their sensitive accounts. In case they have noticed a similar campaign taking advantage of a friend’s account, the should warn him personally and Facebook by using the “report/mark message as spam” option.