With the advancement of technology along with the emergence of AI has brought devastative changes in the digital world. A malvertising campaign is discovered where the threat actors hijacks social media pages, renames them to impersonate popular AI photo editors, and finally posts malicious links to fake websites of legitimate photo editor. To boost up the malicious posts, many paid advertisements are promoted during the process.
This is initiated through malicious websites, where the victims are tricked to visit the download section and install the package, which resemble as a photo editor, but a legitimate endpoint management utility through a malicious configuration. Thereafter, the utility permits for remote device management. Thus, the attackers abuse the feature of the tools to download and execute credential stealers, leading to exfiltration of sensitive data and credentials.
A similar scenario is found in Facebook malvertising campaign where the threat actors targets the users who search for AI image editing tools and steals their credentials by luring them into installing fake apps that mimic legitimate software. The abuse of pad Facebook promotions for malicious intents is not new.
The attackers take the benefit of AI -driven image-generation tools by designing malicious websites that resemble legitimate services and end up in infecting the potential victims with information stealer malware.
The attacks begin with phishing messages sent to Facebook page owners or administrators, with fake account protection pages designed to trick them into providing their login information. After obtaining the credentials, the attackers hijack their accounts, take control of their pages, publish malicious social posts, and promote them through paid advertising.
Ways to Trick Victims
- Spamming the Facebook Page with Fake Complaint- Here, the attackers targets social media page to gain control. Initially, they send messages to the administrator containing phishing links, whether direct or personalized link pages (linkup.top, bio.link, s.id, and linkbio.co). These links seem to be more legitimate and the users are unknown about this. The sender typically uses an empty profile with randomly generated usernames followed by a few numbers.
- Phishing website for obtaining credentials- The administrators of the targeted Facebook pages click on the personalized links and get to see a screen similar to the original ones. After they provide their credentials, this lead them to fake account protection page, asking the users for the information necessary to log in and take over their account such as phone number, email address, birthday and password. This way, the attackers are successful in stealing their profile and start posting malicious ads.
- Creating malicious posts- Once they take the control of Facebook pages, the attackers starts posting advertisements that relates to fake AI photo editor domain. Here, the name of the legitimate photo editor being abused is Evoto.
- Fake photo editor web page- The fake photo editor web page resemble to the original one, that works excellently to trick the victim into thinking that they are downloading a photo editor. But, in real, they are actually downloading and installing an endpoint management software. The JavaScript responsible for downloading the package contains statistics in a variable called download_count.
- Abusing ITarian remote monitoring and management software- When the victims install the MSI package (disguised as a photo editor installer), their devices are immediately enrolled for management, where they provide full access to remotely control the device to the threat actors. ITarian is a free endpoint management software. The attackers signs up for a free account, registers a subdomain and creates an installation MSI package. Thereafter, the installation package is distributed to victims for installation. But, the fact is the MSI package itself does not contain any malicious components. It does not contain any file with malicious configuration. When the device is successfully enrolled for remote management, some scheduled tasks are executed. The scheduled tasks are of the Python_Procedure type and contain- 1) A simple downloader in Python to download and execute an additional payload. The additional payload is typically Lumma Stealer and its binary is usually encrypted with PackLab Crypter. 2) A simple script to exclude disk C: from being scanned with Microsoft Defender.
- Lumma Stealer as the final payload- The final payload is Lumma Stealer, which has its initial C&C communication, featured by two consecutive POST requests to the /api URL path with the x-www-form-urlencoded content type. The first request content is act=life, followed by the second requests content, "act=recive_message&ver= <version>&lid=<id>&j="(sic!), which returns a Base64 encoded stealer configuration.
Security Recommendations
- Users should enable multi-factor authentication (MFA) on all social media accounts to provide an extra layer of protection against unauthorized access.
- Users should regularly update and use strong, unique passwords for social media accounts.
- Businesses should educate their employees on the consequences of phishing attacks and how to identify suspicious messages and links.
- Both organizations and individual users should monitor their accounts for any suspicious activity, such as unexpected login attempts or changes to account information.
- Users should always verify the legitimacy of links, especially those asking for personal information or login credentials.
- Organizations should consider using security solutions that can detect abnormal account activities.
.png)
Comments
Post a Comment