Security researchers at Guardio Labs have discovered a massive malverposting campaign leveraging Facebook Ads, causing over 500,000 infections worldwide within three months.
The campaign uses promoted social media posts and tweets to distribute malicious software and other security threats to unsuspecting users. Malverposting involves using promoted social media posts to spread malware and other threats to a larger target pool.
Previously, hackers exploited Google search and Facebook Ads to promote financial, tech support, and phishing scams and distribute malicious software and tools like fake ChatGPT Chrome extensions.
Malverposting campaign posts inappropriate Facebook Ads on business profiles
Attributed to a Vietnamese threat actor, the malverposting campaign starts by abusing Facebook’s ad network to post malicious click-bait links promising adult-rated photo album downloads for free.
“One of those campaigns, linked to a Vietnamese threat actor, has been ongoing for months now, gaining more traction lately using resilient deployment techniques and is estimated to surpass 500k infections worldwide so far,” Guardio researchers warned.
The threat actor also creates fake pages and hijacks legitimate business profiles with many followers to post malicious Facebook Ads.
“This threat actor is creating new business profiles, as well as hijacking real, reputable profiles with even millions of followers,” the researchers explained.
Additionally, the threat actors used the remaining funds to post more malicious Facebook Ads.
Hijacked businesses not only lost their funds but also suffered reputational damage from the inappropriate baity content posted on their profiles.
“Not only this amplifies the reach, hurting new users, it completely halts the legitimate business activity of reputable brands and stores that may have been building their accounts for years.”
However, the threat actors rarely modified the hijacked accounts except for the profile pictures that appear on Facebook Ads.
Facebook Ads malware has APT-like behaviors
The malverposting campaign begins by tricking the victim into downloading a compressed file supposedly containing the raunchy photos.
“Once victims click on those posts/links, a malicious ZIP file is downloaded to their computers,” Guardio Labs researchers explained. “Inside are photo files (that are actually masqueraded executable files) that, when clicked, will initiate the infection process.”
The zipped file contains WDSynchService.exe, curl.exe, 7z.exe, and WDSynch.dll deployed through sideloading. The second step involves downloading relevant code from the attacker’s C2 server using curl and 7zip binaries.
The attacker downloads a bytecode precompiled PHP-based stealer (Ducktail or SYS01) which is difficult to decrypt, giving them an advantage over automated tools. Downloading the stealer in 7zip format inside another zip enables the file to preserve its integrity and prevent fingerprinting.
Meanwhile, the attacker puts the victims at ease by opening a browser window with a website showing related content while the malware silently deploys in the background.
Finally, the attacker deploys the malware to gain persistence and periodically exfiltrates the victims’ sessions, cookies, accounts, crypto-wallets, and other sensitive information.
The highly sophisticated payload employed various evasive tactics to avoid detection by anti-virus software and enterprise End Point Detection solutions.
Such tactics include APT techniques such as DLL sideloading, code encryption, and anti-fingerprinting techniques such as file variation and compression.
Malverposting campaign is sustainable and has very high conversion rates
According to the researchers, people who clicked on the malverposting posts were very likely to run the malware.
“Since the “intent” of the user is relatively high because of the baity content, many proceed to extract the Zip file content.”
Additionally, given social media’s crucial role in people’s lives, the malicious Facebook Ads had “very high conversion rates.”
According to the researchers, the malverposting campaign was sustainable because the attacker could easily generate new profiles for posting inappropriate Facebook Ads “under the radar” of policy enforcers.
Although the malverposting campaign spread worldwide, the researchers detected most activity in the United States, Canada, the United Kingdom, and Australia.