A recent “malwareposting” campaign linked to a Vietnamese threat actor has been ongoing for months and is estimated to have infected more than 500,000 devices worldwide in the past three months alone.
The claims come from security experts at Guardio Labs and were published in a blog post on Wednesday.
In it, the team described malposting as “the use of promoted posts and tweets on social media to spread malware and other security threats,” and in this case, the abuse of Facebook’s ad service to deliver malware.
“The initial trigger for these numbers is the abuse of Facebook’s ad service as the first stage delivery mechanism responsible for this massive spread,” wrote Nati Tal, head of cybersecurity at Guardio Labs.
Learn more about ad-based malicious campaigns: SYS01 Stealer targets critical infrastructure with Google Ads
Guardio’s team observed that the Vietnamese campaign relied on malverposting while developing various evasion techniques. It was particularly focused on the USA, Canada, England and Australia.
“This threat actor is creating new business profiles as well as hijacking real and reputable profiles with even millions of followers,” Tal explained.
They also repeatedly posted malicious clickbait on Facebook channels promising free downloads of adult photo albums.
“Once victims click on these posts/links, a malicious ZIP file is downloaded to their computers,” the warning says. “Inside are photo files (which are actually disguised executable files) that, when clicked, will start the infection process.”
The executable then opens a pop-up browser window with a decoy website that displays related content.
“While in the background, the thief will silently deploy, execute, and gain persistence to periodically exfiltrate your session cookies, accounts, crypto wallets, and more.”
Tal clarified that the team observed several variations of the latest payload, but they all shared a benign executable file to start the infection flow.
“The malicious payload is quite sophisticated and changes all the time, introducing new evasive techniques,” the security expert wrote.
“As we’ve seen, it takes time for security vendors to identify them and build relevant verdicts to block, especially when it’s done out of context.”
Guardio Labs’ warning comes weeks after security experts at Group-IB unveiled a phishing scheme targeting Facebook users based on more than 3,000 fake profiles.
Editorial Image Credit: BigTunaOnline / Shutterstock.com
Ikaroa is a full stack tech company that is dedicated to helping organizations around the world increase their cyber security measures. Recently, reports have surfaced that a group of Vietnamese hackers have been linked to a “malverposting” campaign in the US and other countries.
Malverposting essentially involves buying up digital real estate and exploiting it for their own gain. For instance, their activities have included setting up online ads, platforms, website redirects, and other tactics to siphon off traffic and revenue from legitimate businesses. This activity has caused great concern to business owners, as they are essentially losing potential customers, exposure, and money.
Ikaroa is committed to helping organizations protect their digital real estate so that they don’t fall victim to malverposting or other malicious activities. We offer a range of cyber security solutions, such as intrusion detection systems and access control systems, to identify any suspicious activity, detect malware, and stop any potential threats before they can do any real damage.
This news serves as a reminder to businesses everywhere to take the necessary steps to protect their digital properties and data from malicious actors. At Ikaroa, we are committed to helping organizations protect their online assets, as well as enforcing regulations to ensure the safety of all involved.