{"id":22455,"date":"2023-07-12T16:10:04","date_gmt":"2023-07-13T00:10:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/07\/12\/news-16185\/"},"modified":"2023-07-12T16:10:04","modified_gmt":"2023-07-13T00:10:04","slug":"news-16185","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/07\/12\/news-16185\/","title":{"rendered":"Criminals target businesses with malicious extension for Meta&#8217;s Ads Manager and accidentally leak stolen accounts"},"content":{"rendered":"<p>Like all social media platforms, Facebook constantly has to deal with fake accounts, scams and malware.&nbsp;We have written about scams targeting consumers that&nbsp;<a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/06\/thousands-of-malicious-google-cloud-run-instances-deployed-to-scam-facebook-users\" target=\"_blank\">redirect to fake Microsoft alert pages<\/a>, but there are also threats targeting&nbsp;businesses&nbsp;that use Facebook to promote their products and services.<\/p>\n<p>In the past few weeks, there&#8217;s been a resurgence in sponsored posts and&nbsp;accounts that impersonate&nbsp;Meta\/Facebook&#8217;s own Ads Manager. Crooks are promising better advertising via optimization, and increased performance when you use their (malware-laden) software. Meta has&nbsp;<a href=\"https:\/\/engineering.fb.com\/2023\/05\/03\/security\/malware-nodestealer-ducktail\/\" target=\"_blank\">tracked and analyzed<\/a>&nbsp;several threat actors such as&nbsp;<a href=\"https:\/\/www.withsecure.com\/en\/expertise\/research-and-innovation\/research\/ducktail-an-infostealer-malware\" target=\"_blank\">DuckTail<\/a>&nbsp;that have been active for a number of years&nbsp;with a particular interest for Facebook advertising accounts.<\/p>\n<p>Now, we&#8217;ve discovered&nbsp;a new&nbsp;attack that uses malicious Chrome extensions to steal Facebook account credentials and is not related to the DuckTail malware. While tracking this campaign, we&nbsp;noticed the threat actors made a mistake when they packaged one of the malware files with their own stolen data.<\/p>\n<p>We have passed&nbsp;the information about this campaign and the threat actors to Meta and&nbsp;thank it for taking prompt&nbsp;action following our reporting.<\/p>\n<h2>Key takeaways<\/h2>\n<ul>\n<li>Vietnamese threat actors are actively targeting Facebook business accounts<\/li>\n<li>Victims are lured via fake Ads Manager software promoted on Facebook<\/li>\n<li>Malicious Google Chrome extensions are used to steal and extract login information<\/li>\n<li>Over 800 victims worldwide, 310 in the US<\/li>\n<li>More than $180K in compromised ad budget<\/li>\n<\/ul>\n<h2>Fake Ads Manager accounts<\/h2>\n<p><a href=\"https:\/\/www.facebook.com\/business\/tools\/ads-manager\" target=\"_blank\">Ads Manager<\/a>&nbsp;is the&nbsp;product that&nbsp;enables users to run online ads on Facebook, Instagram and other platforms owned by Meta. An&nbsp;<a href=\"https:\/\/techcrunch.com\/2023\/05\/05\/hacked-verified-facebook-pages-impersonating-meta-are-buying-ads-from-meta\/\" target=\"_blank\">article in TechCrunch<\/a>&nbsp;from May describes how scammers&nbsp;were buying ads from Meta via verified accounts. They were trying to entice potential victims into downloading software to manage their advertising via a &#8220;more professional and secure tool&#8221;.<\/p>\n<p>In early June, we identified&nbsp;fraudulent accounts&nbsp;running the same scam using similar lures. It is also worth noting that these accounts often have tens of thousands of followers and&nbsp;any of their posts&nbsp;can quickly become viral. Scammers are primarily targeting business users who may spend ad dollars on the platform.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/easset_upload_file83709_270962_e.png\" alt=\"\" width=\"1036\" height=\"596\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<p>In order to compromise those accounts, they first need to redirect potential victims onto external websites. We&#8217;ve seen several different domains that are essentially phishing pages using the Meta logo and branding. The lure is the&nbsp;Facebook Ads Manager program that is pushed&nbsp;via a download link. We&#8217;ve seen various cloud providers abused to host these&nbsp;password-protected RAR archives ranging from Google to Trello, as seen below.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/easset_upload_file5284_270962_e.png\" alt=\"\" width=\"940\" height=\"693\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<h2>Malicious Chrome extension<\/h2>\n<p>Once extracted from the archive, the file is an MSI installer package&nbsp;that&nbsp;installs several components under&nbsp;<em>C:Program Files (x86)Ads ManagerAds Manager<\/em>. We can see a batch script (perhaps named after Google Bard), and two folders. One of them is for a custom Chrome extension while the System folder contains a standalone WebDriver file.<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/easset_upload_file78955_270962_e.png\" alt=\"\" width=\"1007\" height=\"828\" \/><\/p>\n<p style=\"text-align: left;\">The batch script is launched after the MSI installer completes and essentially spawns a new browser window launched with the custom extension from that previous installation path, pointing the victim to the Facebook login page.<\/p>\n<pre>taskkill \/F \/IM chrome.exe<br \/>taskkill \/F \/IM chromedriver.exe<br \/>timeout \/t 1 &gt;nul<br \/>start chrome.exe --load-extension=\"%~dp0\/nmmhkkegccagdldgiimedpiccmgmiedagg4\" \"<a href=\"https:\/\/www.facebook.com\/business\/tools\/ads-manager\">https:\/\/www.facebook.com\/business\/tools\/ads-manager<\/a>\"<\/pre>\n<p style=\"text-align: left;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/easset_upload_file49833_270962_e.png\" alt=\"\" width=\"724\" height=\"499\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<p style=\"text-align: left;\">That&nbsp;custom extension is cleverly disguised as Google Translate and is considered &#8216;Unpacked&#8217; because it was loaded from the local computer, rather than the&nbsp;Chrome&nbsp;Web Store. A quick look at its source code reveals immediate hex obfuscation in an attempt to hide what it is actually doing.<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/easset_upload_file30666_270962_e.png\" alt=\"\" width=\"1484\" height=\"961\" \/><\/p>\n<p style=\"text-align: left;\">After reverse engineering this extension, it became quite clear that&nbsp;it had nothing to do with Google Translate. In fact, the code is entirely focused on Facebook and grabbing important pieces of information that could allow an attacker to log into accounts. We can see that the threat actors are interested in Facebook cookies which they request via the&nbsp;<a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Add-ons\/WebExtensions\/API\/cookies\/getAll\" target=\"_blank\">cookies.getAll<\/a>&nbsp;method.<\/p>\n<p style=\"text-align: left;\">We also notice an interesting way to exfiltrate that data by using Google Analytics. This technique was&nbsp;<a href=\"https:\/\/www.humansecurity.com\/tech-engineering-blog\/exfiltrating-users-private-data-using-google-analytics-to-bypass-csp\" target=\"_blank\">previously documented by HUMAN<\/a>&nbsp;as a way to bypass CSP.<\/p>\n<p style=\"text-align: left;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/easset_upload_file98387_270962_e.png\" alt=\"\" width=\"774\" height=\"595\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<h2>Accidental leak<\/h2>\n<p>In total, we identified over 20 different malicious Facebook Ad Manager&nbsp;archives that installed Chrome extensions or instead went with traditional malware executables. While there are variations between samples, the attackers&#8217; main goal appears to be the same, namely to collect Facebook&nbsp;business accounts.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/easset_upload_file95285_270962_e.png\" alt=\"\" width=\"630\" height=\"556\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<p>While investigating a new phishing site, we&nbsp;saw&nbsp;an archive for download that looked quite different&nbsp;from the others. Ironically, it&nbsp;seems like the threat actors made a mistake and instead of putting the payload, they leaked their own stolen data, or rather the data they stole from victims.<\/p>\n<p>The site we came across pretends to be Meta Ads Manager and boasts the same claims of increasing ad performance that we&#8217;ve seen before. There is a button to download a file called&nbsp;<em>Meta Ads Manager.rar<\/em>&nbsp;which is hosted on Google Drive.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/easset_upload_file39761_270962_e.png\" alt=\"\" width=\"803\" height=\"541\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<p>However, this&nbsp;archive does not contain the expected MSI installer, but instead several text files that were last modified on June 15:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/easset_upload_file5608_270962_e.png\" alt=\"\" width=\"735\" height=\"824\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<p>While the file names are self-explanatory, we can see that they&nbsp;contain information about authentication (checkpoint, cookie, token). There is also information about the threat actor who shared this file (file owner) via Google Drive and&nbsp;their Gmail email address (this information has been passed to Meta for further action).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/easset_upload_file80427_270962_e.png\" alt=\"\" width=\"437\" height=\"593\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<p>The first row of the file called&nbsp;<em>List_ADS_Tach.txt<\/em>&nbsp;contains column headers with some names in Vietnamese, confirming the nationality of the individuals behind these attacks. In total, there&nbsp;are 828 rows,&nbsp;which translates into&nbsp;just as many Facebook accounts that were breached.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/easset_upload_file39077_270962_e.png\" alt=\"\" width=\"777\" height=\"472\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<p>As expected, the threat actors are particularly interested in their victims&#8217; advertising accounts.&nbsp;We can see different metrics related to ad&nbsp;budget (column titles were translated from Vietnamese and may be slightly inaccurate)&nbsp;as well as currencies:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/easset_upload_file61858_270962_e.png\" alt=\"\" width=\"721\" height=\"636\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<p>Prized accounts will be those that have a large remaining balance for ad spend. While we do not know if this threat actor is directly associated with DuckTail, they have the same motives of financial profit from hacked Facebook business accounts.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/easset_upload_file97523_270962_e.png\" alt=\"\" width=\"506\" height=\"369\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<p>Finally, by converting the data into a map, we can see that victims are not confined to a particular geolocation, in fact they are distributed worldwide.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/easset_upload_file42087_270962_e.png\" alt=\"\" width=\"652\" height=\"402\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<p>The threat actors realized their mistake a few days&nbsp;later and trashed the file from their Google Drive account. They also updated the download link on the phishing site, with a new file hosted via MediaFire (fortunately for users, the file was detected as malware and the download is blocked).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/easset_upload_file14969_270962_e.png\" alt=\"\" width=\"849\" height=\"545\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<h2>A low cost, high yield threat<\/h2>\n<p>Business users may be tempted to optimize their ad campaigns on Facebook by clicking on certain posts and downloading programs that claim to increase their earnings. This is, however, a very dangerous practice even if (or especially if) the instructions claim that the software is secure and free of malware. Remember that there is no silver bullet and anything that sounds too good to be true may very well be a scam in disguise.<\/p>\n<p>Fraudsters&nbsp;have a lot of time of their hands and&nbsp;spend years studying and understanding how to abuse&nbsp;social media and cloud platforms, where it is&nbsp;a constant arm&#8217;s race to keep bad actors out. Based on reports highlighted in TechCrunch&#8217;s recent&nbsp;<a href=\"https:\/\/techcrunch.com\/2023\/05\/05\/hacked-verified-facebook-pages-impersonating-meta-are-buying-ads-from-meta\/\" target=\"_blank\">article<\/a>, the threat actors may also reinvest some of the stolen ad budgets to place out malicious ads to ensnare more victims and perpetuating this cycle.<\/p>\n<p>If you did happen to download one of those malicious Facebook Ad Manager installers,&nbsp;Malwarebytes has your back. We were already&nbsp;picking up several components from these campaigns and have added additional protection for optimal detection coverage. Victims will also want to revoke access to unknown users from their Business Manager account profile that the fraudsters may have added, as well as review their transactions history.<\/p>\n<p>We would like to thank Meta for being receptive to our report and helping to keep users safe.<\/p>\n<h2>Indicators of Compromise<\/h2>\n<p>Decoy site<\/p>\n<pre>fbadmanage[.]info<\/pre>\n<p>RAR archives (password 888 or 999)<\/p>\n<pre>e73f53ea5dca6d45362fef233c65b99e5b394e97f4f2fe39b374e49c6a273e60<br \/>2082e4a8cd0495aabb0f72a41224f134214d0959e208facbfe960c8c74166cda<br \/>3638702c83364fc625c0f91388e9b06d94c3486ac0357038f66667d05f9c52e6<br \/>547955e97c945ad7283e1637ec0f5e2dbf13c7fb4885a854fb0744542579c6ff<br \/>587698e967d05a649428d3a4e45fd64fcea18affd5b021f15d01b8a39a244f8a<br \/>6719e6ba89b0a59d325f4531432195afe65154c1d63b9c3bab8ad8925f2f911d<br \/>72ba4254e94b7308de92652d1aaf29084fae55d01e0643df1050a638a3bd9dc8<br \/>76731d0ed28a552c6f673b6c3e1b08c0499d4b44050df6838439055e01990406<br \/>81d9bc3eabe578d606787ab191dd0ff7e8f58a06e35813591e17855daef8505b<br \/>8564962190135783b2f21c64cc05fdb226a89a7cbd309ca353fcc31a2a669f0e<br \/>8a6a2d439e537b5985b7492f0dded6ae3e1e80133c073d09849712c08927ca55<br \/>99057370f8c0312bb5b4a7ed0bd3753b60488e71576af210edd7f813514acb55<br \/>a29131934b589eb325a76c7d638ac3a0a55c5f185189c71cdf79d8d662129fb7<br \/>b146d19f7ea988f36449463931758935a54b58e1052dd3a5d20060b2e991b1da<br \/>c3704b2250e0e8663c86ad5a63e1051004d6967827ef90aab553ddfce682ca5a<br \/>c9f0da6aa38d4c3d38dc734d7937cdac47c272cca3e2df030242854a9661d314<br \/>d43d288368bad68e600dae08db5e4846adcaeb4a7d1902ab76417fca3f4c0cf7<br \/>e94b66b1a3f27dc282a451d3820b3d3d8380be9b9ebab04eedcf4bb0020908e8<br \/>f128cbfddf3d5c2f5742d3d5d5dae1a041023eba543ee2ddf4d8afdbd42f29b3<br \/>f1b14728d9f42def90e6eec8c32b2ef5eef43e73383eefa70bf70d8be953c3e5<br \/>f9ccac29307547adbf779338d6f22bde128feea847012f6392d7ef69cab30878<\/pre>\n<p>Analyzed MSI file<\/p>\n<pre>fd637520a9ca34f7b4b21164581a4ec498bf106ba168b5cb9fcd54b5c2caafd0<\/pre>\n<\/p>\n<hr \/>\n<p dir=\"ltr\">Malwarebytes EDR and MDR remove all remnants of ransomware and&nbsp;prevents&nbsp;you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.malwarebytes.com\/business\/contact-us\/\" class=\"blue-cta-bttn\">TRY NOW<\/a><\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/criminals-target-businesses-with-malicious-extension-for-metas-ads-manager-and-accidentally-leak-stolen-accounts\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/threat-intelligence\" rel=\"category tag\">Threat Intelligence<\/a><\/p>\n<p>Tags: Meta<\/p>\n<p>Tags: Facebook<\/p>\n<p>Tags: malware<\/p>\n<p>Tags: ads manager<\/p>\n<p>Tags: chrome<\/p>\n<p>Tags: extension<\/p>\n<p>A group of criminals is actively targeting Facebook business users to gain access to their advertising accounts via malicious Chrome extensions. But we spotted that they made a mistake&#8230;<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/criminals-target-businesses-with-malicious-extension-for-metas-ads-manager-and-accidentally-leak-stolen-accounts\" title=\"Criminals target businesses with malicious extension for Meta's Ads Manager and accidentally leak stolen accounts\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/07\/criminals-target-businesses-with-malicious-extension-for-metas-ads-manager-and-accidentally-leak-stolen-accounts\">Criminals target businesses with malicious extension for Meta&#8217;s Ads Manager and accidentally leak stolen accounts<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[29795,10699,11425,3589,3764,24884,12040],"class_list":["post-22455","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-ads-manager","tag-chrome","tag-extension","tag-facebook","tag-malware","tag-meta","tag-threat-intelligence"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22455","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=22455"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22455\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=22455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=22455"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=22455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}