SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Bitdefender reveals malvertising campaign targeting Meta

Fri, 1st Nov 2024

Bitdefender has unmasked a "malvertising" campaign targeting Meta business accounts and the personal accounts of primarily middle-aged males in Australia.

This cyber campaign has reportedly been active for at least a month. Bitdefender estimates that the number of potential victims could be in the millions across several regions including Australia, North America, the European Union, and Asia. The method involves mimicking advertisements for well-known software tools and brands such as Canva, Microsoft, Netflix, and Super Mario Bros to distribute a specific "InfoStealer" tool.

The cybercriminals behind the campaign entice unsuspecting users into downloading malware. While victims believe they are interacting with legitimate software, their Facebook credentials are harvested and then sold on the dark web. Moreover, the compromised accounts are used to launch further attacks. Often, the malware operates silently in the background while a decoy application appears to function normally, making it challenging for victims to detect the compromise.

Bitdefender Labs has been monitoring malvertising trends and the evolving tactics used by cybercriminals. Their latest research highlights a campaign leveraging Meta's advertising platform specifically to spread the SYS01 InfoStealer malware, a primary weapon in the campaign arsenal aimed at various international platforms.

Compared to past malvertising campaigns, these attacks now employ an ElectronJs application for malware delivery. The campaign has expanded its impersonation tactics to include a wide array of well-known software tools, broadening the target audience and thereby increasing its effectiveness.

The campaign uses nearly a hundred malicious domains for distributing malware and conducting live command and control operations. Researchers observed numerous ads impersonating video editing software like CapCut, productivity tools like Office 365, streaming services such as Netflix, and video games. Such impersonations are aimed at maximising victim engagement.

The campaign is extensive, with scope reaching globally across Europe, North America, Australia, and Asia. Males aged over 45 are particularly targeted. While Meta provides some data on ad impact within the EU, there is limited insight into how these malicious ads affect users in other regions, notably the United States.

To evade detection, the campaign employs adaptive strategies by updating malicious payloads in real time. When antivirus companies detect and block a version, hackers enhance the obfuscation methods and re-introduce the ads with updated malware.

Malware is distributed via social media ads, often through MediaFire links leading to a download containing an Electron application. Despite structural differences in the downloaded archive, the infection process consistently relies on JavaScript code within the Electron app to execute malicious software.

A core feature of the infostealer is its ability to gather data about Facebook pages that can be used in further attacks or sold on the dark web. The advanced evasive maneuvers, including sandbox detection, allow the infostealer to remain undetected in many cases.

The criminal model underpinning SYS01 InfoStealer is highly structured. The main objective is harvesting Facebook credentials, especially from business accounts, which allows the attackers to exploit the accounts to create credible ads that bypass security filters and spread further.

By hijacking Facebook accounts, cybercriminals can continue promoting malicious ads without the need to create new accounts, enabling them to consistently direct traffic to malicious downloads. The business model not only reduces costs but also minimises reliance on more targeted methods such as phishing campaigns.

The revenue model involves selling the stolen credentials and data on underground marketplaces, creating multiple revenue streams from each compromised user.

Bitdefender recommends being cautious about clicking on adverts that offer free downloads, staying vigilant about the source of any software, and ensuring robust cybersecurity measures are in place, such as two-factor authentication and up-to-date security software, particularly for Facebook business accounts.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X