has detailed a wide-scale Chinese malware campaign that targeted its ad
platform for years and siphoned $4 million from users’ advertising
accounts. It was dubbed “SilentFade”
(short for “Silently running Facebook Ads with Exploits”) the malware
compromised Facebook accounts and used them to promote malicious ads, steal
browser cookies and more. The social-media giant said that the Chinese malware
campaign started in 2016, but it was first discovered in December 2018, due to
a suspicious traffic spike across a number of Facebook endpoints. After an
extensive investigation, Facebook shut down the campaign and pursued legal
action against the cybercriminals behind the attack in December 2019.
installed, SilentFade stole Facebook credentials and cookies from various
browser credential stores, including Internet Explorer, Chromium and Firefox.
malware itself consists of three to four components, with the main downloader
component being included in PUP bundles, researchers said. This downloader
component is either a standalone malware component or a Windows service
(installed as either “AdService” or ‘”HNService”). It’s responsible for
persistence across reboots and for dropping 32-bit and 64-bit version dynamic
library links (DLLs) in Chrome’s application dAfter stealing credentials, the
malware retrieves the metadata about the Facebook account (such as payment
information and the total amount previously spent on Facebook ads), using the
Facebook Graph API, which is a legitimate Facebook feature allowing users to
read and write data to and from the Facebook social graph. This data is then
sent back to the malware’s C2 servers (as an encrypted JSON blob through custom
in a unique anti-detection tactic, the C2 server stores the data and logs the
IP address of the incoming request for the purpose of geolocation. “This was
crucial as the attackers intentionally used the stolen credentials from the
same or a nearby city to the infected machine to appear as though the original
account owner has traveled within their city,” said researchers.
it should be noted that payment-information details (such as bank account and
credit card numbers) were never exposed to the attackers, as Facebook does not
make them visible through the desktop website or the Graph API.
SOURCE : https://threatpost.com/silentfade-attack-facebook/159780/