EKLENTI

By ZulaZuza in Malware

EKLENTI is a malware infection, which uses Twitter and Facebook to circulate to corrupted PCs. EKLENTI affects attacked computer systems when a computer user clicks infected tweets or Facebook posts. EKLENTI is distriv=buted as a bogus Flash Player installer. After clicking a tweet, the computer user is diverted to a website, which asks to download and install Adobe Flash Player. The translation of the text from Twitter is 'look at my slide, is it good?' The text below the Flash Player logo reads 'update Flash to watch this video'. When the PC user clicks on this webpage, he/she is offered to download an apparently legal file 'install_flashplayer11x32_mssd_aaa_aih.exe', which has a typical Flash Player icon.

The installer is written in the Delphi programming language, and it does not have a digital signature, which the Flash Player installer should have. This installer has an interesting resource called EKLENTI. EKLENTI is a Mozilla Firefox/ Google Chrome browser add-on, which is installed into %APPDATA%\Mozilla\Firefox\Profiles\lra8qow3.default\extensions\staged\flashplayer@adobe.com.xpi. The installed add-on aims at persuading a PC user of a victimized PC that it is the legal Flash Player from Adobe. As the browser add-on is installed, the initial connection to Timottur.com is created, and two files are dropped. When a Twitter authenticity token is found by EKLENTI, the script can do some operations in the name of the attacked computer user's Twitter account; it can follow, post or retweet. Similarly for Facebook, the script can post to the target computer user's Facebook feed. The script can allegedly like a Facebook page or become a fan of it. There are a few hardcoded Facebook pages, which are liked or subscribed by Facebook accounts on hacked PCs.

File System Details

EKLENTI may create the following file(s):
# File Name Detections
1. install_flashplayer11x32_mssd_aaa_aih.exe
2. Yeni.php
3. Siteler.php
4. %APPDATA%\Mozilla\Firefox\Profiles\lra8qow3.default\extensions\staged\flashplayer@adobe.com.xpi

Trending

Most Viewed

Loading...