Criminals are targeting Facebook business accounts by promoting fraudulent Ads Manager software through malicious Chrome extensions that steal login credentials and ad budgets. The campaign uses phishing pages, a disguised extension loaded locally, and data exfiltration via Google Analytics, affecting hundreds of victims worldwide. #DuckTail #AdsManager #FacebookAdsManager #Meta #ChromeExtension #GoogleDrive #MediaFire #VietnameseThreatActors #FacebookBusinessAccounts
Keypoints
- Vietnamese threat actors are actively targeting Facebook business accounts
- Victims are lured via fake Ads Manager software promoted on Facebook
- Malicious Google Chrome extensions are used to steal and extract login information
- Over 800 victims worldwide, 310 in the US
- More than $180K in compromised ad budget
- 20+ malicious Facebook Ad Manager archives; some hosted on Google Drive and MediaFire
- Accidental leak of stolen data and later updates to download links; Malwarebytes and Meta involved in mitigation
MITRE Techniques
- [T1566.001] Phishing – The attackers lure victims via phishing site, prompting download of malicious software; “The lure is the Facebook Ads Manager program that is pushed via a download link.”
- [T1059.003] Command and Scripting Interpreter – The batch script launches after the MSI installer completes and spawns a new browser window loaded with the custom extension, directing to Facebook; “The batch script is launched after the MSI installer completes and essentially spawns a new browser window launched with the custom extension from that previous installation path, pointing the victim to the Facebook login page.”
- [T1036] Masquerading – The custom extension is disguised as Google Translate and loaded from a local path rather than the Chrome Web Store; “That custom extension is cleverly disguised as Google Translate… loaded from the local computer, rather than the Chrome Web Store.”
- [T1555.003] Credentials from Web Browsers – The extension focuses on harvesting Facebook cookies to log into accounts; “the threat actors are interested in Facebook cookies which they request via the cookies.getAll method.”
- [T1567.002] Exfiltration to Web Service – Data exfiltration is performed via Google Analytics to bypass CSP; “We also notice an interesting way to exfiltrate that data by using Google Analytics.”
Indicators of Compromise
- [Domain] decoy site – fbadmanage.info
- [Hash] Malware payload (archive) – e73f53ea5dca6d45362fef233c65b99e5b394e97f4f2fe39b374e49c6a273e60, 2082e4a8cd0495aabb0f72a41224f134214d0959e208facbfe960c8c74166cda and 2 more hashes
- [Hash] Analyzed MSI file – fd637520a9ca34f7b4b21164581a4ec498bf106ba168b5cb9fcd54b5c2caafd0
- [File Name] Meta Ads Manager.rar – hosted on Google Drive
- [File Name] List_ADS_Tach.txt – contains authentication-related data and Vietnamese identifiers