FACETTI

FACETTI is a malware infection, which uses Twitter and Facebook to proliferate to infected computers. FACETTI takes over compromised PCs when a computer user clicks infected tweets or Facebook posts. FACETTI propagates as a bogus Flash Player installer. After clicking a tweet, the PC user is rerouted to a website, which asks to download and install Adobe Flash Player. The translation of the text from Twitter is 'look at my slide, is it good?' The text below the Flash Player logo redas 'update Flash to watch this video'. When the computer user clicks on this webpage, he/she is encouraged to download an apparently legal file 'install_flashplayer11x32_mssd_aaa_aih.exe', with a common Flash Player icon.

The installer is written in the Delphi programming language, and it does not have a digital signature, which the Flash Player installer usually does. This installer incorporates an interesting resource called FACETTI. FACETTI is a DLL file, which is downloaded into %APPDATA%\amk.dll and registered as an add-on (Browser Helper Object) of Internet Explorer via cmd.exe /c regsvr32 /s /u '%APPDATA%\amk.dll'. The installed add-on aims at inducing a computer user of an infected computer that it is the legal Flash Player from Adobe. As the browser add-on is installed, the initial connection to Timottur.com is set, and two files are added. When a Twitter authenticity token is found by FACETTI, the script can do some operations in the name of the target PC user's Twitter account; it can follow, post or retweet. Similarly for Facebook, the script can post to the victim's Facebook feed. The script can allegedly like a Facebook page or become it's fan. There are a few hardcoded Facebook pages, which are liked or subscribed by Facebook accounts on hijacked computers.