US attacks Iran and Saudi Arabia? Malware spreads via Facebook status updates

Graham Cluley
Graham Cluley
@[email protected]

TankBeware of malware lurking on news websites claiming to containing breaking news stories.

Naked Security has seen a worrying number of Facebook users posting the same status messages today, claiming that the United States has attacked Iran and Saudi Arabia in a move heralding the beginning of World War 3.

Well, that would certainly get your attention, wouldn’t it?

A typical status message looks like the following:

Sign up to our free newsletter.
Security news, advice, and tips.

U.S. Attacks Iran and Saudia Arabia. Fuck :-( The Begin of World War 3?

U.S. Attacks Iran and Saudia Arabia. F**k :-( [LINK] The Begin of World War 3?

If you visit the link mentioned in the status update, you are taken to a fake CNN news webpage which claims to contain video footage of conflict.

Fake CNN webpage

However, clicking on the video thumbnail prompts the webpage to ask you to install an update to Adobe Flash.

Malicious download posing as Flash update

Of course, it’s not a real Flash update, but malware instead. Remember, you should only ever download a Flash update from the genuine Adobe website.

The malware – which Sophos detects as Troj/Rootkit-KK – drops a rootkit called Troj/Rootkit-JV onto your Windows computer. In addition, Sophos detects the behaviour of the malware as HPsus/FakeAV-J.

Within the first three hours of this malware campaign, some 60,000 Facebook users had been duped into visiting the malicious link.

What isn’t entirely clear at this point is how the message is being shared by so many Facebook profiles.

Regular readers may recall how Facebook users were hit by hardcore porn, violence and animal abuse images late last year. Ultimately, Facebook claimed that the messages were being spread via a self-XSS browser vulnerability.

It’s possible that malicious code on users’ computers is sending the message to Facebook without users knowing. To be on the safe side, you should scan your computer with up-to-date anti-virus software and ensure you have the latest security patches in place.

If you use Facebook and want to get an early warning about the latest malware attacks, scams and hoaxes, you should join the Sophos Facebook page where we have a thriving community of over 160,000 people.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.