Criminals target businesses with malicious extension for Meta’s Ads Manager and accidentally leak stolen accounts
Like all social media platforms, Facebook constantly has to deal with fake accounts, scams and malware. We have written about scams targeting consumers that redirect to fake Microsoft alert pages, but there are also threats targeting businesses that use Facebook to promote their products and services.
In the past few weeks, there’s been a resurgence in sponsored posts and accounts that impersonate Meta/Facebook’s own Ads Manager. Crooks are promising better advertising via optimization, and increased performance when you use their (malware-laden) software. Meta has tracked and analyzed several threat actors such as DuckTail that have been active for a number of years with a particular interest for Facebook advertising accounts.
Now, we’ve discovered a new attack that uses malicious Chrome extensions to steal Facebook account credentials and is not related to the DuckTail malware. While tracking this campaign, we noticed the threat actors made a mistake when they packaged one of the malware files with their own stolen data.
We have passed the information about this campaign and the threat actors to Meta and thank it for taking prompt action following our reporting.
Key takeaways
- Vietnamese threat actors are actively targeting Facebook business accounts
- Victims are lured via fake Ads Manager software promoted on Facebook
- Malicious Google Chrome extensions are used to steal and extract login information
- Over 800 victims worldwide, 310 in the US
- More than $180K in compromised ad budget
Fake Ads Manager accounts
Ads Manager is the product that enables users to run online ads on Facebook, Instagram and other platforms owned by Meta. An article in TechCrunch from May describes how scammers were buying ads from Meta via verified accounts. They were trying to entice potential victims into downloading software to manage their advertising via a “more professional and secure tool”.
In early June, we identified fraudulent accounts running the same scam using similar lures. It is also worth noting that these accounts often have tens of thousands of followers and any of their posts can quickly become viral. Scammers are primarily targeting business users who may spend ad dollars on the platform.
In order to compromise those accounts, they first need to redirect potential victims onto external websites. We’ve seen several different domains that are essentially phishing pages using the Meta logo and branding. The lure is the Facebook Ads Manager program that is pushed via a download link. We’ve seen various cloud providers abused to host these password-protected RAR archives ranging from Google to Trello, as seen below.
Malicious Chrome extension
Once extracted from the archive, the file is an MSI installer package that installs several components under C:Program Files (x86)Ads ManagerAds Manager. We can see a batch script (perhaps named after Google Bard), and two folders. One of them is for a custom Chrome extension while the System folder contains a standalone WebDriver file.
The batch script is launched after the MSI installer completes and essentially spawns a new browser window launched with the custom extension from that previous installation path, pointing the victim to the Facebook login page.
taskkill /F /IM chrome.exe
taskkill /F /IM chromedriver.exe
timeout /t 1 >nul
start chrome.exe --load-extension="%~dp0/nmmhkkegccagdldgiimedpiccmgmiedagg4" "https://www.facebook.com/business/tools/ads-manager"
That custom extension is cleverly disguised as Google Translate and is considered ‘Unpacked’ because it was loaded from the local computer, rather than the Chrome Web Store. A quick look at its source code reveals immediate hex obfuscation in an attempt to hide what it is actually doing.
After reverse engineering this extension, it became quite clear that it had nothing to do with Google Translate. In fact, the code is entirely focused on Facebook and grabbing important pieces of information that could allow an attacker to log into accounts. We can see that the threat actors are interested in Facebook cookies which they request via the cookies.getAll method.
We also notice an interesting way to exfiltrate that data by using Google Analytics. This technique was previously documented by HUMAN as a way to bypass CSP.
Accidental leak
In total, we identified over 20 different malicious Facebook Ad Manager archives that installed Chrome extensions or instead went with traditional malware executables. While there are variations between samples, the attackers’ main goal appears to be the same, namely to collect Facebook business accounts.
While investigating a new phishing site, we saw an archive for download that looked quite different from the others. Ironically, it seems like the threat actors made a mistake and instead of putting the payload, they leaked their own stolen data, or rather the data they stole from victims.
The site we came across pretends to be Meta Ads Manager and boasts the same claims of increasing ad performance that we’ve seen before. There is a button to download a file called Meta Ads Manager.rar which is hosted on Google Drive.
However, this archive does not contain the expected MSI installer, but instead several text files that were last modified on June 15:
While the file names are self-explanatory, we can see that they contain information about authentication (checkpoint, cookie, token). There is also information about the threat actor who shared this file (file owner) via Google Drive and their Gmail email address (this information has been passed to Meta for further action).
The first row of the file called List_ADS_Tach.txt contains column headers with some names in Vietnamese, confirming the nationality of the individuals behind these attacks. In total, there are 828 rows, which translates into just as many Facebook accounts that were breached.
As expected, the threat actors are particularly interested in their victims’ advertising accounts. We can see different metrics related to ad budget (column titles were translated from Vietnamese and may be slightly inaccurate) as well as currencies:
Prized accounts will be those that have a large remaining balance for ad spend. While we do not know if this threat actor is directly associated with DuckTail, they have the same motives of financial profit from hacked Facebook business accounts.
Finally, by converting the data into a map, we can see that victims are not confined to a particular geolocation, in fact they are distributed worldwide.
The threat actors realized their mistake a few days later and trashed the file from their Google Drive account. They also updated the download link on the phishing site, with a new file hosted via MediaFire (fortunately for users, the file was detected as malware and the download is blocked).
A low cost, high yield threat
Business users may be tempted to optimize their ad campaigns on Facebook by clicking on certain posts and downloading programs that claim to increase their earnings. This is, however, a very dangerous practice even if (or especially if) the instructions claim that the software is secure and free of malware. Remember that there is no silver bullet and anything that sounds too good to be true may very well be a scam in disguise.
Fraudsters have a lot of time of their hands and spend years studying and understanding how to abuse social media and cloud platforms, where it is a constant arm’s race to keep bad actors out. Based on reports highlighted in TechCrunch’s recent article, the threat actors may also reinvest some of the stolen ad budgets to place out malicious ads to ensnare more victims and perpetuating this cycle.
If you did happen to download one of those malicious Facebook Ad Manager installers, Malwarebytes has your back. We were already picking up several components from these campaigns and have added additional protection for optimal detection coverage. Victims will also want to revoke access to unknown users from their Business Manager account profile that the fraudsters may have added, as well as review their transactions history.
We would like to thank Meta for being receptive to our report and helping to keep users safe.
Indicators of Compromise
Decoy site
fbadmanage[.]info
RAR archives (password 888 or 999)
e73f53ea5dca6d45362fef233c65b99e5b394e97f4f2fe39b374e49c6a273e60
2082e4a8cd0495aabb0f72a41224f134214d0959e208facbfe960c8c74166cda
3638702c83364fc625c0f91388e9b06d94c3486ac0357038f66667d05f9c52e6
547955e97c945ad7283e1637ec0f5e2dbf13c7fb4885a854fb0744542579c6ff
587698e967d05a649428d3a4e45fd64fcea18affd5b021f15d01b8a39a244f8a
6719e6ba89b0a59d325f4531432195afe65154c1d63b9c3bab8ad8925f2f911d
72ba4254e94b7308de92652d1aaf29084fae55d01e0643df1050a638a3bd9dc8
76731d0ed28a552c6f673b6c3e1b08c0499d4b44050df6838439055e01990406
81d9bc3eabe578d606787ab191dd0ff7e8f58a06e35813591e17855daef8505b
8564962190135783b2f21c64cc05fdb226a89a7cbd309ca353fcc31a2a669f0e
8a6a2d439e537b5985b7492f0dded6ae3e1e80133c073d09849712c08927ca55
99057370f8c0312bb5b4a7ed0bd3753b60488e71576af210edd7f813514acb55
a29131934b589eb325a76c7d638ac3a0a55c5f185189c71cdf79d8d662129fb7
b146d19f7ea988f36449463931758935a54b58e1052dd3a5d20060b2e991b1da
c3704b2250e0e8663c86ad5a63e1051004d6967827ef90aab553ddfce682ca5a
c9f0da6aa38d4c3d38dc734d7937cdac47c272cca3e2df030242854a9661d314
d43d288368bad68e600dae08db5e4846adcaeb4a7d1902ab76417fca3f4c0cf7
e94b66b1a3f27dc282a451d3820b3d3d8380be9b9ebab04eedcf4bb0020908e8
f128cbfddf3d5c2f5742d3d5d5dae1a041023eba543ee2ddf4d8afdbd42f29b3
f1b14728d9f42def90e6eec8c32b2ef5eef43e73383eefa70bf70d8be953c3e5
f9ccac29307547adbf779338d6f22bde128feea847012f6392d7ef69cab30878
Analyzed MSI file
fd637520a9ca34f7b4b21164581a4ec498bf106ba168b5cb9fcd54b5c2caafd0