In May 2023, Meta published a security report on the latest malware threats targeting users on Facebook. With the emergence of AI and ChatGPT, long-running malware families, including Ducktail and NodeStealer, took center stage in leading the attack on the Facebook ad system to distribute malware ads.
Bad actors hack verified Facebook pages and rename them to trustworthy brands like Facebook, Meta, Google AI, Bard, and more. These rebranded pages with verified checkmarks are then used to run ads with links to malware.
Meta claimed to have disrupted malware operations with rapid adversarial adaptation in the report. According to a report by Group-IB, more than 3,200 Facebook pages and profiles were compromised to impersonate tech brands, including keywords such as AI, ChatGPT, and Bard. After two months of decreased presence, The malware groups are wreaking havoc on Facebook once again.
This time, the malware ads are served through compromised, non-verified Facebook pages. We came across a group of these ads mimicking to be Google. The ads contain links to a download site hosted on the Google Sites platform. It includes a DropBox-hosted direct download hotlink to the actual 4.26 MB Malware RAR file.
Even though the zip is protected by the password mentioned in the website, browsers like Chrome can detect the malware during download and block it before it can attack the device. While Chrome detected and blocked the malware automatically, Windows Defender failed to detect it even when the installer was running.
The screenshot below shows one of the Malware sites hosted on sites.google.com.
To prevent being sabotaged by such malware and increase awareness, Facebook added "Page transparency" to all pages to show the history of any name change and country of origin, among other details. Two pages that were recently hacked are "গাছগাছালি," renamed to AI Marketing on the 19th, and "SONAX Bangladesh," renamed to AI Marketing on the 27th of July 2023.
At the time of writing, these pages are still active, and the links to the malware are working, hosted on DropBox. It makes sense to be wary of downloads being offered, even by seemingly verified pages on Facebook, if you are unsure about the identity of a Facebook page you can navigate to the page"s About section for details on the history of the page, and any renames it underwent. It can also be accessed by adding /about to any Facebook company page URL in the address bar.