Keypoints
- Attackers purchased Facebook ads impersonating marketing profiles and LLM tools to redirect victims to malicious landing pages.
- Ads use URL shorteners (rebrand.ly) and Google Sites landing pages that link to password‑protected archives hosted on Google Drive or Dropbox.
- Archives contain a single MSI installer; running it drops Chrome extension files (background.js, content.js, manifest.json, favicon.png) and a batch script that restarts the browser with the malicious extension loaded.
- The extension impersonates Google Translate and checks for the Facebook c_user cookie before proceeding to steal the access token.
- Stolen access tokens are used to query Facebook’s GraphQL API to enumerate managed pages, business details, and advertisement account information.
- Collected data (cookies, token, user agent, page/business/ad info, IP) is URL‑encoded, base64‑encoded, and sent to a command‑and‑control server; campaign IDs are appended to the user agent for attribution.
MITRE Techniques
- [T1566.002] Spearphishing Link – Malicious paid Facebook advertisements redirect users to a landing site with a download link for the “AI package” (‘Once the user selects the link in the advertisement, they are redirected to a simple website… It also contains a link for downloading the actual “AI package”‘).
- [T1204.002] User Execution: Malicious Link – The attack relies on user interaction with the ad and landing-page download links to execute the MSI installer (‘the archive, once opened and decrypted with the correct password, usually contains a single MSI installer file. When the victim executes the installer…’).
- [T1027] Obfuscated Files or Information – The payload is distributed as a password‑protected encrypted archive to evade detection (‘the threat actor distributes the package as an encrypted archive with simple passwords like “999” or “888”‘).
- [T1176] Browser Extensions – The installer drops extension files and forces the browser to restart loaded with a malicious extension impersonating Google Translate (‘it then runs a batch script to kill the currently running browser and restarts it, this time loaded with a malicious extension that impersonates Google Translate’).
- [T1539] Steal Web Session Cookie – The extension checks for and steals Facebook cookies (including c_user) as a prerequisite to further actions (‘the script attempts to steal Facebook cookies. It specifically checks for the presence of c_user cookie’).
- [T1078] Valid Accounts – Stolen access tokens are reused to access Facebook APIs and enumerate managed pages, business, and ad account details (‘Having stolen the access token, the script can query Facebook’s GraphQL API for additional information… enumerate the account’s managed pages and information about them’).
- [T1041] Exfiltration Over C2 Channel – Collected data are concatenated, encoded, and exfiltrated to a command‑and‑control server (‘All the stolen information … are concatenated, URL-encoded, base64-encoded, and exfiltrated to a command-and-control C&C server’).
Indicators of Compromise
- [Domain] redirect and campaign domains – gbard-ai[.]info, rebrand.ly (used for ad link redirection and campaign tracking).
- [Hosting services] payload hosting – Google Drive, Dropbox (used to host password‑protected archives containing the MSI installer).
- [File names] extension payload files – background.js, content.js, manifest.json (dropped by the MSI to form the malicious Chrome extension).
- [Campaign IDs] infection identifiers appended to user agent – examples ‘*fb|’ and ‘*gs2|’ (used to track source/campaign within the stolen data).
- [IOC list URL] published indicators – https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/h/profile-stealers-spread-via-llm-themed-facebook-ads/iocs-profile-stealers-spread-via-llm-themed-facebook-ads.txt
The technical infection flow begins with paid Facebook advertisements that redirect users (often via rebrand.ly short links) to a landing page hosted on Google Sites. Those pages provide a password‑protected archive (commonly with simple passwords like “999” or “888”) hosted on cloud storage (Google Drive or Dropbox); when the victim downloads, decrypts, and runs the included MSI installer, it executes the attacker’s payload.
The MSI installer drops Chrome extension components (background.js, content.js, manifest.json, favicon.png) and executes a batch script that terminates the running browser and restarts it with the malicious extension loaded. The extension is designed to impersonate Google Translate visually while its service worker contains the main stealing logic.
Once active, the extension checks for the Facebook c_user cookie and extracts the access token; it uses that token to call Facebook’s GraphQL APIs to enumerate managed pages, business account details, and advertisement account information (including ad status, spend, and balances). The extension collects cookies, token, user agent (with an appended campaign ID), and other details, then URL‑encodes, base64‑encodes, and exfiltrates the assembled data to a command‑and‑control server.