Kilim Trojan Hijacks Social Media Accounts with Rogue Browser Extensions

Microsoft experts warn that social bots are on the rise

By on June 13th, 2013 18:01 GMT

Microsoft experts warn that more and more pieces of malware have started relying on social media. One perfect example is the Trojan dubbed Kilim, or Trojan:AutoIt/Kilim.A.

The Trojan starts infecting computers when users install what they believe to be legitimate software. Once the malware is downloaded and executed, it adds itself to the system registry and downloads two malicious Chrome browser extensions.

These browser extensions allow cybercriminals to hijack Facebook, Twitter, YouTube, Ask.fm, and Vk.com accounts. The attackers can leverage Kilim to like pages on Facebook, send messages and follow certain profiles on Twitter, and even comment on YouTube videos.

The Kilim variant observed by Microsoft posted a message in Turkish on Twitter. The message advertised a website that sold Twitter followers.

“Kilim appears to be selling Twitter followers for a price. There is also a possibility that Kilim can extend its functionality to do more - perhaps stealing sensitive information such as passwords, or even spreading other malware for a price and getting paid per-click-through rates, similar to a pay-per-install model,” Microsoft’s Karthik Selvaraj warned.

Most antivirus solutions should be able to remove Kilim, but some malicious components of the browser extensions might remain. Microsoft has published an advisory on how to remove the components manually.

Comments