Cyber Security Threat Summary:
According to a recent blog post by Guardio Labs, a Vietnamese threat actor is conducting a malverposting campaign, which has been ongoing for several months. It's estimated that this campaign has infected more than 500,000 devices worldwide within the last three months alone. Malverposting is the act of using social media posts and tweets to spread malicious software and other security threats. In this instance, the attacker abused Facebook's Ad service to distribute malware. Guardio Labs' head of cyber security, Nati Tal, stated that the high number of infections was made possible by using Facebook's Ad service as the initial delivery mechanism.

“The Guardio team observed that the Vietnamese campaign relied on malverposting while it evolved various evasion techniques. It particularly focused on the USA, Canada, England and Australia. “This threat actor is creating new business profiles, as well as hijacking real, reputable profiles with even millions of followers,” Tal explained. They also repeatedly posted malicious clickbait on Facebook feeds promising adult-rated photo album downloads for free. “Once victims click on those posts/links, a malicious ZIP file is downloaded to their computers,” reads the advisory. “Inside are photo files (that are actually masqueraded executable files) that, when clicked, will initiate the infection process.” The executable then opens a browser window popup with a decoy website showing related content. “While in the background, the stealer will silently deploy, execute and gain persistence to periodically exfiltrate your sessions cookies, accounts, crypto-wallets and more.” Tal clarified that the team observed several variations of the latest payload, yet all shared a benign executable file to start the infection flow” (InfoSecurity Magazine, 2023).

Security Officer Comments:
The campaign has targeted the Facebook accounts of business owners, and when compromised the attacker takes control of the account to exploit the business's reputation. The attacker then follows the advertisement account, which sometimes still holds funds. By assuming the identity of the business, the attacker spreads more harmful ads through the account, resulting in a wider impact. This harms new users and disrupts the legitimate business activities of reputable brands and stores. Researchers explain that the malicious payload used in the malvertising campaign is highly advanced and constantly changing, with the introduction of new evasive techniques. This makes it challenging for security vendors to detect and block the malware, especially when it is used out of context. Guardio Labs' warning was issued after Group-IB reported a phishing scam targeting Facebook users, as well.

Suggested Corrections:
Guardio Labs has published IOCs associated with the campaign including domains, malicious payload files, and affected Facebook pages/profiles.

Additionally, these other best practices should be followed: