A trojan that steals user personal information has been running wild across the web in recent days. It originates from a fake PDF reader distributed by several different sites, and once installed attempts to access victim Facebook sessions to grab cookies and gain illicit access to Facebook Ads Manager. BleepingComputer is reporting that in addition to the attempt to steal Facebook data, the trojan also hijacks Amazon sessions in an attempt to breach user accounts.
The trojan-bearing software, called PDFReader, is especially insidious as it makes use of a legitimate-looking digital security certificate to signal to unwary downloaders that it is provided by a safe site.
Trojan used to steal payment information from Facebook Ads Manager, Amazon
Distributed by several different sites, the executable files that contain the trojan are disguised as a PDF file-reading program and signed by a valid SSL certificate from Sectigo. Formerly Comodo CA until 2018, Sectigo is the world’s largest commercial distributor of such certificates. The presence of a valid certificate of this type is a key element in inspiring user trust and allowing the executable to pass through automated scanning systems used in operating systems and antivirus protection software. The certificates are signed by Rakete Content Gmbh, which appears to be a legitimate publishing business based in Austria.
Once installed, the trojan raids Chrome and Firefox databases for stored Facebook session cookies. It then extracts the user’s account ID and access token using these cookies, which gives it access to the Facebook Ads Manager account billing url and settings. These settings are used by businesses that run ads on Facebook and contain personal contact and payment information (such as credit card number, expiration date and PayPal email).
Though the primary threat is to extract the user account data of businesses that use Facebook Ads Manager, the trojan can also take over and lock out the accounts of the average Facebook or Amazon user. It also looks for stored Amazon session cookies, which can be used to log into the site as that user once accessed. While Amazon does encrypt stored credit card information, this would not necessarily stop attackers from making purchases from the site and having them shipped to whatever address they care to input or purchasing digital gift card codes that can be delivered instantly.
PDFReader apparently does actually read PDF files, functioning normally as the trojan works away quietly stealing this information in the background. BleepingComputer reports that the sites promoting the various variations of it were not offering direct downloads of it; instead, it seems to be bundled in adware collections with other potentially intrusive but less hostile programs.
A nation-state attack?
There is some speculation that this trojan could have been deployed for more than just financial gain.
Some security researchers have speculated that the trojan may originate from a nation-state, and that the primary use is for espionage. It could be used to passively gather information about political ads being run on Facebook during America’s 2020 election season, or even to actively take over Facebook Ads Manager accounts and run political ads.
MalwareHunterTeam, the researchers who discovered the trojan, indicated in a series of initial tweets that there were signs that it originated from China due to some of the language used in the code.
It’s still unclear as to who the attackers are and what their intentions are. Nation-state involvement is still pure speculation at this point. It is entirely possible that this is a team of criminals simply looking for payment information and stolen merchandise given the involvement of Amazon accounts (as well as the wealth of billing information found in Facebook Ads Manager accounts). And as Mike Bittner, director of digital security and operations at The Media Trust, points out:
“Bad actors are clearly expanding their arsenal with highly specialized code designed for them to profit from the planet’s most widely used platforms. They’ve crafted schemes to score simultaneously from data theft and ad fraud, exploiting unwary consumers’ visits to unknown websites and freeware downloads. The timing of this attack is expected–the holidays mark the height of consumer online searches for deals and purchases. Once the holidays are over, the data can also be parlayed for political microtargeting and other private-data-for-profit schemes.”
Whatever the case, access to Facebook Ads Manager settings provides the attackers with the means to both generate and alter political ads. While they might not be interested in doing this themselves, they might be interested in selling this capability to people who are. As Mark Miller, director of enterprise security support at Venafi, points out:
“Certificate authorities are in the business of trust; users are trained to trust a URL if they see a padlock in the address bar. Trust is a precious commodity on the Internet and attackers are more than willing to exploit it for their own personal gain.
“We’re in the middle of an intense industry push to encrypt the entire web. Unfortunately, this trend has been a double-edged sword. If a bad actor purchases a certificate from a public CA, they are essentially buying trust. Attacks like the one that target Facebook ad manager and Amazon session cookies are not uncommon.
“During topical seasons, such as election years, we will probably see an increase in traffic pointing you to malicious ends. If anyone can buy a trusted certificate to sign their code, then we need to be extremely vigilant when visiting websites and downloading applications. Besides only focusing on a trusted certificate, users should always check that the source is known and good to the best of their ability.”
Free software, certificates and trust
PDF readers have long been a popular vector for various forms of malware. The file format is very commonly used as a standard in business and academia, but requires use of proprietary Adobe software to view and edit. Adobe makes a free PDF viewer available, but asks end users to pay a substantial fee for the ability to fill in forms, create and edit these files. Simply viewing this file format can also sometimes be an issue on devices other than Windows and Mac computers. This creates a constant market of users looking for free alternatives that bad actors are always looking to exploit.
One means of screening out potential threats in this market is the presence of a security certificate. A valid certificate adds the padlock symbol to a URL in most browsers, and takes away a key automated warning that most browsers or operating systems issue when a user downloads or executes an unsigned file.
However, it has become easier in recent years for threat actors to obtain legitimate-looking security certificates. In some cases, these certificates are stolen. However, this is relatively rare as compared to the practice of forging security certificates. Dark web operators openly offer this as a service, usually using employee credentials stolen in some sort of hack or data breach to pose as a legitimate representative of a trusted organization and get a certificate authority (CA) to issue a valid certificate to them.
SSL certificates are still an important part of the web of trust that allows the internet to function, but it’s equally important to recognize that the presence of an https url with a padlock next to it is not an automatic assurance that a website is legitimate and that the resources it is passing are safe. As this Facebook Ads Manager exploit demonstrates, even an encrypted site may attempt to steal data from the user.