The Trojan retrieves uid from cookies and CSRF token from the social network webpage. Every 10 microseconds, it removes blocks with the following classes from the Facebook web interface:
- uiToggle wrap
Then the Trojan creates a group named randomly. Using the group ID, the victim’s profile photo and the address of the webpage retrieved from a configuration file, the Trojan generates a “share a link” post and publishes it on the wall in specified intervals. What is more, in this post, the Trojan mentions all the victim’s friends on Facebook so this message is published on their walls too.
If the user follows the specified link, they are redirected to some webpage whose appearance is identical to the Facebook web design. Yet, if another website is used to follow this link, the user is redirected to a blank webpage. The webpage contains an allegedly standard video player. If the victim uses Chrome and tries to watch the video, they are prompted to download and install a browser plug-in. Trojan.BPlug.1074 can use this method to spread either its own copy or other plug-ins for Google Chrome.