Like all social media platforms, Facebook constantly has to deal with fake accounts, scams and malware. We have written about scams targeting consumers that redirect to fake Microsoft alert pages, but there are also threats targeting businesses that use Facebook to promote their products and services.
In the past few weeks, there's been a resurgence in sponsored posts and accounts that impersonate Meta/Facebook's own Ads Manager. Crooks are promising better advertising via optimization, and increased performance when you use their (malware-laden) software. Meta has tracked and analyzed several threat actors such as DuckTail that have been active for a number of years with a particular interest for Facebook advertising accounts.
Now, we've discovered a new attack that uses malicious Chrome extensions to steal Facebook account credentials and is not related to the DuckTail malware. While tracking this campaign, we noticed the threat actors made a mistake when they packaged one of the malware files with their own stolen data.
We have passed the information about this campaign and the threat actors to Meta and thank it for taking prompt action following our reporting.
- Vietnamese threat actors are actively targeting Facebook business accounts
- Victims are lured via fake Ads Manager software promoted on Facebook
- Malicious Google Chrome extensions are used to steal and extract login information
- Over 800 victims worldwide, 310 in the US
- More than $180K in compromised ad budget
Fake Ads Manager accounts
Ads Manager is the product that enables users to run online ads on Facebook, Instagram and other platforms owned by Meta. An article in TechCrunch from May describes how scammers were buying ads from Meta via verified accounts. They were trying to entice potential victims into downloading software to manage their advertising via a "more professional and secure tool".
In early June, we identified fraudulent accounts running the same scam using similar lures. It is also worth noting that these accounts often have tens of thousands of followers and any of their posts can quickly become viral. Scammers are primarily targeting business users who may spend ad dollars on the platform.
In order to compromise those accounts, they first need to redirect potential victims onto external websites. We've seen several different domains that are essentially phishing pages using the Meta logo and branding. The lure is the Facebook Ads Manager program that is pushed via a download link. We've seen various cloud providers abused to host these password-protected RAR archives ranging from Google to Trello, as seen below.
Malicious Chrome extension
Once extracted from the archive, the file is an MSI installer package that installs several components under C:\Program Files (x86)\Ads Manager\Ads Manager. We can see a batch script (perhaps named after Google Bard), and two folders. One of them is for a custom Chrome extension while the System folder contains a standalone WebDriver file.
The batch script is launched after the MSI installer completes and essentially spawns a new browser window launched with the custom extension from that previous installation path, pointing the victim to the Facebook login page.
taskkill /F /IM chrome.exe
taskkill /F /IM chromedriver.exe
timeout /t 1 >nul
start chrome.exe --load-extension="%~dp0/nmmhkkegccagdldgiimedpiccmgmiedagg4" "https://www.facebook.com/business/tools/ads-manager"
That custom extension is cleverly disguised as Google Translate and is considered 'Unpacked' because it was loaded from the local computer, rather than the Chrome Web Store. A quick look at its source code reveals immediate hex obfuscation in an attempt to hide what it is actually doing.
After reverse engineering this extension, it became quite clear that it had nothing to do with Google Translate. In fact, the code is entirely focused on Facebook and grabbing important pieces of information that could allow an attacker to log into accounts. We can see that the threat actors are interested in Facebook cookies which they request via the cookies.getAll method.
We also notice an interesting way to exfiltrate that data by using Google Analytics. This technique was previously documented by HUMAN as a way to bypass CSP.
In total, we identified over 20 different malicious Facebook Ad Manager archives that installed Chrome extensions or instead went with traditional malware executables. While there are variations between samples, the attackers' main goal appears to be the same, namely to collect Facebook business accounts.
While investigating a new phishing site, we saw an archive for download that looked quite different from the others. Ironically, it seems like the threat actors made a mistake and instead of putting the payload, they leaked their own stolen data, or rather the data they stole from victims.
The site we came across pretends to be Meta Ads Manager and boasts the same claims of increasing ad performance that we've seen before. There is a button to download a file called Meta Ads Manager.rar which is hosted on Google Drive.
However, this archive does not contain the expected MSI installer, but instead several text files that were last modified on June 15:
While the file names are self-explanatory, we can see that they contain information about authentication (checkpoint, cookie, token). There is also information about the threat actor who shared this file (file owner) via Google Drive and their Gmail email address (this information has been passed to Meta for further action).
The first row of the file called List_ADS_Tach.txt contains column headers with some names in Vietnamese, confirming the nationality of the individuals behind these attacks. In total, there are 828 rows, which translates into just as many Facebook accounts that were breached.
As expected, the threat actors are particularly interested in their victims' advertising accounts. We can see different metrics related to ad budget (column titles were translated from Vietnamese and may be slightly inaccurate) as well as currencies:
Prized accounts will be those that have a large remaining balance for ad spend. While we do not know if this threat actor is directly associated with DuckTail, they have the same motives of financial profit from hacked Facebook business accounts.
Finally, by converting the data into a map, we can see that victims are not confined to a particular geolocation, in fact they are distributed worldwide.
The threat actors realized their mistake a few days later and trashed the file from their Google Drive account. They also updated the download link on the phishing site, with a new file hosted via MediaFire (fortunately for users, the file was detected as malware and the download is blocked).
A low cost, high yield threat
Business users may be tempted to optimize their ad campaigns on Facebook by clicking on certain posts and downloading programs that claim to increase their earnings. This is, however, a very dangerous practice even if (or especially if) the instructions claim that the software is secure and free of malware. Remember that there is no silver bullet and anything that sounds too good to be true may very well be a scam in disguise.
Fraudsters have a lot of time of their hands and spend years studying and understanding how to abuse social media and cloud platforms, where it is a constant arm's race to keep bad actors out. Based on reports highlighted in TechCrunch's recent article, the threat actors may also reinvest some of the stolen ad budgets to place out malicious ads to ensnare more victims and perpetuating this cycle.
If you did happen to download one of those malicious Facebook Ad Manager installers, Malwarebytes has your back. We were already picking up several components from these campaigns and have added additional protection for optimal detection coverage. Victims will also want to revoke access to unknown users from their Business Manager account profile that the fraudsters may have added, as well as review their transactions history.
We would like to thank Meta for being receptive to our report and helping to keep users safe.
Indicators of Compromise
RAR archives (password 888 or 999)
Analyzed MSI file
Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.