Threat Research

Weaponizing Facebook Ads: Inside the Multi-Stage Malware Campaign Exploiting Cryptocurrency Brands

BitDefender
Weaponizing Facebook Ads: Inside the Multi-Stage Malware Campaign Exploiting Cryptocurrency Brands
EXTRACT IOC
A persistent Facebook malvertising campaign exploits trust in cryptocurrency brands, using sophisticated evasion and customized malware delivery to target specific users. It combines front-end deception and localhost malware to maintain stealth and exfiltrate data. (Affected: Facebook users, Cryptocurrency sector)

Keypoints :

  • The campaign runs persistent malicious ads impersonating crypto brands on Facebook.
  • Malware delivered via stealthy front-end and localhost communication to evade detection.
  • Uses hundreds of fake ads mimicking Binance, TradingView, and others to increase clicks.
  • Advanced tracking filters victims by demographics, browser, and Facebook ad parameters.
  • Deceptive Facebook clone pages lure victims into downloading fake “desktop clients.”
  • Malware uses a .NET-based local server for remote payload execution and data exfiltration.
  • The front-end script orchestrates payload delivery, leveraging encoded PowerShell and WMI queries.
  • Payloads adapt based on victim’s environment, avoiding sandbox detection via sleep commands.
  • Campaign targets specific demographics, e.g., men aged 18+ in Bulgaria and Slovakia.
  • Bitdefender detects related malware with generic signatures, blocking thousands of infections.

MITRE Techniques :

  • Spearphishing via Malicious Advertisement (T1566.002) – Leveraging Facebook ads impersonating crypto brands to lure victims.
  • Masquerading (T1036) – Using fake cryptocurrency exchange identities and cloned Facebook pages.
  • User Execution (T1204) – Victims prompted to download and execute malicious “desktop client” installers.
  • Command and Control over Web Service (T1102) – Local .NET server receiving commands and payloads over HTTP.
  • PowerShell (T1059.001) – Executing encoded PowerShell scripts for payload delivery and data exfiltration.
  • Remote Services (T1021) – Using WMI queries remotely to gather and exfiltrate system information.
  • System Network Configuration Discovery (T1016) – Collecting network and system info via WMI queries.
  • Obfuscated Files or Information (T1027) – Multi-layered script obfuscation and encoded payloads.
  • Masquerade Task or Job (T1037) – Scheduling tasks using Task Scheduler to maintain persistence.
  • Indicator Removal (T1070) – Suppressing console outputs to evade detection.

Indicator of Compromise :

  • The article includes malicious MSI installer filenames (“installer.msi”) linked to payload delivery.
  • It references suspicious DLL files that establish localhost servers on specific ports (30303, 30308).
  • Encoded PowerShell command chains and URLs of C2 servers used to download and execute payloads are mentioned.
  • Indicators like query parameters in URLs (utm_campaign, fbid, cid) and specific browser usage (Microsoft Edge required) act as filters.
  • Examples include hashes and JS filenames detected as Generic.MSIL.WMITask and Generic.JS.WMITask by Bitdefender.

Read more: https://www.bitdefender.com/en-us/blog/labs/weaponizing-facebook-ads-inside-the-multi-stage-malware-campaign-exploiting-cryptocurrency-brands

Views: 45

Tags: FINANCIAL, CRYPTO, DISCOVERY, PAYLOAD, PERSISTENCE, IMPACT, COLLECTION, SOCIAL ENGINEERING