This evolving data-stealing campaign abuses advertisement networks and services, such as sponsored posts on Facebook, to distribute malware and scams, impacting legitimate businesses and users.
Guardio, a cybersecurity firm that monitors and protects against online threats, has observed a significant increase in “Malverposting” – social media-delivered threats that gain traction using paid promotion. In other words, threat actors pay for ads that amplify their malicious posts, exploiting the vast delivery power and reputation of Facebook, Twitter, and other social platforms to pinpoint targets and deliver malicious content directly to their screens.
These attacks begin with posts people see, some containing bait content and others masquerading as legitimate services or discounts. All of them are fake and lead to scams or malware installation.
Vietnamese-Originating Malverposting Campaign
A specific threat actor has recently initiated a data-stealing campaign that started a few months ago and continues to evolve and evade detection using novel techniques. The campaign is propagated through mass Malverposting on Facebook, with the threat actor creating new business profiles and hijacking real, reputable profiles with millions of followers. These hijacked profiles are then used to bombard Facebook feeds with malicious click-bait, promising free adult-rated photo album downloads.
Victims who click on these posts/links download a malicious ZIP file. Many users proceed to extract the ZIP file content, which contains photo files that are actually masqueraded executable files. When clicked, these files initiate the infection process. The infecting payload opens a browser window popup with a decoy website displaying similar content, while in the background, the stealer silently deploys, executes, and gains persistency to periodically exfiltrate sessions cookies, accounts, crypto-wallets, and more.
Damage and Origin
Some of the Facebook accounts targeted by this Malverposting campaign belong to business owners. When their details are compromised, the attacker hijacks their accounts, leveraging the businesses’ reputation and their advertisement accounts (which sometimes still hold funds). The attacker assumes the business’s identity and branches out to propagate more malicious ads through the hijacked accounts.
Not only does this amplify the reach and harm new users, but it also completely halts the legitimate business activities of reputable brands and stores that may have spent years building their accounts. Examples of hijacked Facebook business profiles include an IT company, a shoe store, and a music artist from Peru with 1.3 million followers (Dr. Techno).
The campaign still manages to escape Facebook’s detection and content control, and its infection rates have reached new records in recent weeks. Moreover, the malicious payload dropped from the posts is also evolving and doing a decent job of evading top-of-the-line protection methods like antivirus and endpoint detection tools with its sophisticated deployment techniques, such as DLL sideloading and code encryption.
How the Malverposting Campaign Evades Detection
The Vietnamese-originating Malverposting campaign is particularly concerning due to its ability to evade detection by employing sophisticated techniques. The attackers have implemented DLL sideloading, code encryption, and other advanced concepts, allowing them to bypass many antivirus and endpoint detection tools.
Additionally, the campaign’s rapid evolution makes it challenging for cybersecurity researchers and social media platforms to keep up with the malware’s latest iterations. Despite its inappropriate content, the campaign continues to slip through Facebook’s content control and detection systems.
Recommendations for Businesses and Users
To protect themselves from the Malverposting campaign and similar threats, businesses and users should:
- Regularly update their security measures, including antivirus and endpoint detection software, to stay ahead of evolving malware threats.
- Exercise caution when clicking on sponsored content or advertisements, especially those that seem suspicious or too good to be true.
- Enable two-factor authentication (2FA) on all online accounts, including social media profiles, to minimize the risk of account takeover.
- Regularly monitor their accounts for unusual activity or unauthorized access and report any suspicious incidents to the relevant platform.
- Educate their employees and followers about the risks of Malverposting and other social media-based threats, and promote safe online practices.