A new Trojan currently circulating on Facebook has managed to propagate to more than 110,000 users in just two days, a researcher says, by tagging friends of the victim in a post directing to an alleged video.

Tag scams are not new but recently they have been seen to be used with increased frequency.

Trojan distributed more aggressively

This week, Romania-based antivirus vendor Bitdefender published an analysis of such a scam, where no more than 20 friends of the victim were tagged in the malicious post acting as a lure to potential victims. In less than an hour, they tallied the number of victims to more than 5,000.

By clicking on the message, the user would be taken to a page where the preview of an adult video would be run. The play would be interrupted after a few seconds, initially offering the viewer to download a malicious file purporting to be an update for Flash Player in order to watch the rest of the clip; then the download process is started automatically.

Mohammad Reza Faghani discovered a similar scam, and according to his information, the number of victims is on the rise.

He says in an advisory on Thursday that the cybercriminals behind this Trojan rely on a more aggressive distribution method, which the researcher called “Magnet,” where the friends of the victim’s friends can also see the malicious post.

In previous cases, the initial victim would send the lure to their friends, and only if they got infected the scam would propagate to their contacts.

Cybercriminal group seems to be of Turkish origin

A brief analysis of the malware shows that the fake update for Flash Player drops a set of executable files (chromium.exe, wget.exe, arsiv.exe, verclsid.exe) on the compromised system.

As far as its functionality is concerned, Faghani says that it gains control over the mouse and the keyboard. A deeper inspection of the threat is to be conducted in order to reveal the full damage the malware is capable of.

Luckily, plenty of antivirus engines can detect it at the moment and prevent its nefarious activity.

As per information from Faghani, two of the domains contacted by the Trojan were registered in October 2014. One of them, pornokan[.]com, has the server located in Amsterdam (Digitalocean Amsterdam) and the IP for the other (filmver[.]com) points to the Cloudflare network; in both cases the registrar is FBS INC, a company in Turkey that offers domain name registration services.

These are not the only ones hosting the malicious videos as we found another one, (videooizleyin[.]com), also pointing to Cloudflare network. The domain was just registered this week, on Wednesday, showing that the crooks keep on pounding.

Bitdefender’s analysis of the scam they found concluded that the cybercriminal was of Turkish origin and used the online alias “schwarzback.”

It may be that the two reports of the tag scams are carried out by the same group using multiple domains and registrars.