Facebook as Part of New Malware Campaign

Facebook as Part of New Malware Campaign


Facebook users particularly businesses and consumers are now facing a new malware attack that targets them by sending fake emails. A recent phishing and social engineering campaign targeting businesses and consumers represents the information as being sent from official Facebook authorities. The sender’s name poses to be “Facebook” and the email address also suggests that the mail is coming from an official account. However, the domain names of the email addresses are different and not related to Facebook in any way. In the start of this month, a similar malware campaign was targeted at Whatsapp users. The Threat Research Lab at Comodo believes that the same group of cyber criminals are behind both the malware attack campaigns.

The subject of the supposed Facebook message looks like a routine message and asks users to open a zip file.

Some of these messages commonly used by attackers are:

  • A brief vocal email has been delivered
  • An audio announcement was delivered
  • An audible warning was missed
  • You have received a vocal memo


Every subject line ends with random characters such as “yqr” or “sel”. This is most probably being done to bypass antispam filters. The zip file which comes as an attachment with the email contains an executable file. Upon clicking the .exe file the malware automatically replicates itself into C directory and adds itself into auto-run in registry, causing the malware to spread. The researchers at Comodo have identified this Facebook malware to be a variant of “Nivdort” family of malwares.

Below is a screenshot of one of such emails:

Nivdort Facebook