Facebook details a massive Chinese malware campaign that has targeted its advertising platform for years and stole $4 million from users' ad accounts. The campaign gained attention after social media security groups first became active.
The malware, called SilentFade (meaning "running Facebook ads quietly with vulnerabilities"), breaks Facebook accounts and uses them to promote malicious ads, steal browser cookies, and more. The social media giant says China's malware campaign began in 2016, but it was first discovered in December 2018 because of a surge in suspicious traffic at multiple ends of Facebook. After extensive investigation, Facebook shut down the campaign.Take legal action against cybercriminalsBehind the December 2019 attack.
Facebook's Sanchit Karve and Jennifer Urjiez said: "Our investigation found interesting techniques that were used to disrupt people's advertising fraud targets. "In Thursday's analysisIt was unveiled this week at the 2020 Viral Bulletin. "Attackers are mainly engaged in malicious advertising campaigns, often in the form of advertising pills and spam with false celebrity endorsements."
Facebook说SilentFadeNot downloaded or installed by using Facebook or any of its products. Instead, it is usually tied to potentially unwanted programs (puppies).PUP is a software program that users may consider unnecessary., they may use implementations that could compromise privacy or compromise user security. In this case, the researchers believe that the malware was spread through pirated popular software, such as vector illustrations and page layouts of CorelDlauGraphics graphic design software, as shown in the image below.
Once installed, SilentFade stole Facebook credentials and cookies from various browser credential stores, including Internet Explorer, Chromium and Firefox.
"Cookies are more valuable than passwords because they contain session tokens, which are authenticated tokens," the researchers said. "Using compromised credentials, you may experience accounts protected by two-factor authentication, which SilentFade cannot bypass."
The malware itself consists of three to four components, the main downloader components of which are contained in the PUP package, the researchers said. The downloader component is either a stand-alone malware component or a Windows service (installed as "AdService" or "HNService"). It is responsible for rebooting persistence and removing 32-bit and 64-bit versions of Dynamic Library Links (DLLs) from Chrome's application directory, which is often named winhttp.dll and launches DLL hijacking attacks.
"The dll agent makes requests to the real winhttp.dll, but through the Chrome process it makes requests to facebook.com to avoid antimalware detection based on dynamic behavior by simulating harmless network requests," the researchers said. "
After stealing credentials, the malware uses Facebook GraphAPI to retrieve metadata about Facebook accounts, such as payment information and the total amount previously used for Facebook ads, a legitimate Facebook feature that allows users to read and write data in Facebook social pictures. The data is then sent back to the malware's C2 server (via a custom HTTP header as an encrypted JSON BLOB).
SilentFade has different persistence and detection avoidance policies, including detecting the code of the virtual machine (checking all available display driver description fields with "virtual" or "VM") and stopping execution when detected. It also disables Facebook notification alerts from compromised accounts, which can alert victims of suspicious activity.
Also, in a unique anti-detection strategy, the C2 server stores data and records the IP address of the incoming request for geolocation. "This is critical because attackers deliberately use stolen credentials from the same city or nearby city to allow stolen credentials to appear on infected machines, just as the original account owners did in their cities," the researchers said.
While a user's Facebook credentials are valuable, users with credit card-linked accounts, such as business accounts, also give cybercriminals the ability to use these payment cards to advertise malicious ads on Facebook.
However, "it should be noted that details of payment information, such as bank accounts and credit card numbers, were never exposed to attackers because Facebook does not display this information through desktop sites or graphical APIs," the researchers said.
As part of its investigation into SilverFade, Facebook has also identified other malware activity in China, including those called StressPant, Facebook Robot and Sranos. Facebook warned that some of the malware attacks were still active until June.
For the past year, the company has faced security and privacy issues.A lawsuit was filed last ThursdayIn the U.S., two companies use capture technology to conduct international data collection, including collecting data from Facebook, Instagram, Twitter, YouTube, LinkedIn and Amazon to sell "marketing intelligence." The data involved includes name, user ID, gender, date of birth, relationship status, location information, etc.
In the process, Facebook warned that it expected cybercriminals to continue to bet more when it comes to launching attacks on its platform.
"We expect more platform-specific malware to appear on platforms that serve a wide range of users, as the evolving ecosystem for Facebook shows," Facebook said. "Only through strong collaboration between user education and the security industry as a whole can we measure the scale of malicious activity and respond effectively to it."
Guess you like it
Every compliment you order, I take it seriously
Go to "Discovery" - "Take a look" browse "Friends are watching"