Yesterday on Virus Bulletin 2020, Facebook Security Team shared details about a Malware Campaign that used its Ad Platform to attack unsuspecting users.
Although the malware was first detected in the final week of 2018, the cybercrime group behind it is believed to have been operating since 2016, constantly adapting to new Facebook features and likely expanding to other social platforms and web services as well.
Fake Products
The ads were targeted at specific locations and hence users with whose accounts the ads were purchased wouldn't notice them. The ads were used to sell fake products such as weight-loss products, diet pills, sexual health, handbags, shoes among many others.
Spreading the Malware
Distribution channels for SilentFade include potentially unwanted program (PUP) bundles within pirated copies of legitimate software and other malware families. The PUP bundles would include a downloader component that would fetch a standalone malware component meant to achieve persistence and download malicious DLLs into Chrome’s application directory, to perform DLL hijacking.
Modus Operandi
SilentFade then uses the Facebook session cookie to log in to the victim's Facebook account without using credentials or a two-step verification token and SilentFade uses clever scripts to disable many of Facebook's notifications and security features, as well as 'Facebook for Business' and 'Facebook Login Alerts' to alert you with a message when suspicious Facebook activity is detected. Block your account. SilentFade also used a bug that existed on Facebook to prevent users from unblocking their accounts.
Notification alerts were completely turned off for the compromised accounts, Preventing users from receiving alerts on the suspicious activity taking place. Login alerts and Facebook Business pages were blocked as well.
Attackers taking advantage of these bugs to run malicious ads run from legitimate pages using the original account owner’s payment method.
Remediation
After identifying the malicious activity, Facebook patched a server-side flaw, reverted the blocked notification state on all affected accounts, forced password resets, invalidated sessions, added more fixes and detection mechanisms, and reimbursed affected users.
Facebook security researchers Sanchit Karve and Jennifer Urgilez, who reported on the attack, said, 'As the evolving ecosystem targeting Facebook shows, the number of users serving the service continues to grow. We anticipate more platform-specific malware on the platform.
Facebook tracked down this account and the SilentFade malware to ILikeAd Media International Company Ltd., a Hong Kong-based software company founded in 2016, and Chen Xiao Cong and Huang Tao, the two men behind it. Facebook sued the company and the two devs in December 2019 in a legal case that is still ongoing.