The digital advertising landscape on Facebook has recently been infiltrated by a new wave of threat actors, who are leveraging the platform to promote fraudulent downloads. These advertisements, which tout enticing offers such as Windows themes, free game downloads, and software activation cracks for popular applications like Photoshop, Microsoft Office, and Windows, are part of a sophisticated scheme to distribute malware.
Hijacking Facebook Pages
These deceptive advertisements are disseminated through newly created Facebook business pages or by hijacking existing ones. Once in control of a Facebook page, the threat actors rename it to align with the theme of their advertisement, thereby promoting the downloads to the page's existing followers. This strategy allows them to amplify the reach of their fraudulent campaigns significantly.
"The threat actors assume the business identity by renaming the Facebook pages, this allows them to leverage the existing follower base to amplify the reach of their fraudulent advertisement significantly," reads a report by Trustwave. Notably, these pages have been administered by individuals located in Vietnam or the Philippines at various times.
Massive Ad Campaigns
Trustwave reports that these threat actors launch thousands of ads for each campaign. Some of the top campaigns include:
- blue-softs: 8,100 ads
- xtaskbar-themes: 4,300 ads
- newtaskbar-themes: 2,200 ads
- awesome-themes-desktop: 1,100 ads
When a Facebook user clicks on one of these ads, they are redirected to webpages hosted on platforms like Google Sites or True Hosting. These pages masquerade as legitimate download sites for the advertised content.
The Malware Payload
The True Hosting pages primarily promote a website called Blue-Software, which falsely claims to offer free software and game downloads. Clicking on the 'Download' buttons initiates the download of a ZIP archive named after the purported item. For instance, downloading fake Windows themes would deliver an archive named 'AwesomeThemesforWin1011.zip', while Photoshop would be 'AdobePhotoshop_2023.zip'.
However, instead of receiving a free application or game, users unwittingly download the SYS01 information-stealing malware. Discovered by Morphisec in 2022, this malware employs a combination of executables, DLLs, PowerShell scripts, and PHP scripts to install itself and steal data from the infected computer.
Malware Operation
Upon loading the archive's main executable, it uses DLL sideloading to load a malicious DLL that sets up the malware's operating environment. This includes running PowerShell scripts to evade detection by preventing the malware from running in a virtualized environment, adding folder exclusions in Windows Defender, and configuring a PHP operating environment to load malicious PHP scripts.
The primary payload of the SYS01 malware consists of PHP scripts that create scheduled tasks for persistence and steal data from the device. The stolen data encompasses browser cookies, credentials saved in the browser, browser history, and cryptocurrency wallets.
Targeting Facebook Data
The malware also includes a task that exploits Facebook cookies found on the device to steal account information from the social media site. This stolen data includes:
- Personal profile information such as name, email, and birthday.
- Detailed advertising account data, including spending and payment methods.
- Data related to businesses, ad accounts, and business users, highlighting access to commercial and sensitive financial data.
- Details about Facebook pages managed by the user, including follower counts and roles.
This comprehensive access underscores the depth of the threat posed by these malicious campaigns on Facebook.
