Attackers have exploited Facebook ads to distribute malware through fake Windows 11 download pages, posing a significant threat to users' passwords and cryptocurrency wallets.
Malicious Campaign Details
The campaign involved paid Facebook ads that impersonated Microsoft, directing users to convincing clones of the Windows 11 download page. Upon clicking "Download now," users received a 75 MB installer named ms-update32.exe, hosted on GitHub and packaged with Inno Setup. The attackers used fake domains such as ms-25h2-download.pro and ms25h2-update.pro to carry out the scheme.
The malicious pages employed geofencing and sandbox detection techniques, redirecting data-center and scanner IPs to google.com, while regular users were served the harmful file. The installer was designed to check for virtual machines and debuggers, and on real machines, it extracted an Electron application to C:\Users\USER\AppData\Roaming\LunarApplication\.
Technical Execution and Persistence
The malware executed obfuscated PowerShell scripts in the %TEMP% directory with -ExecutionPolicy Unrestricted, ensuring persistence by writing a large binary to the registry key HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults. It performed process injection, deleted temporary files, and could trigger reboots. The malware used multiple obfuscation and encryption methods, including RC4, HC-128, XOR, and FNV, to evade analysis.
Facebook Pixel tracking was employed, and two parallel ad campaigns and domains were used for redundancy. Indicators of compromise include specific SHA-256 hashes, file system artifacts, and Facebook Pixel IDs.
Recommended Security Measures
Users are advised not to install updates from social media sources. It is recommended to run a full scan with Malwarebytes immediately, change passwords from a clean device, and move cryptocurrency to a new wallet generated on a clean machine. Blocking the phishing domains at DNS or proxy levels and alerting on PowerShell executions using -ExecutionPolicy Unrestricted are also advised. Additionally, hunting for the LunarApplication directory and randomized .yiz.ps1/.unx.ps1 files in the %TEMP% directory can help identify compromised systems.
Comments (0)