Upon clicking the ad, the user is taken to a fake Clubhouse app website that looks quite authentic but its download link drops malware.
Now reports are that threat actors are delivering Facebook ads promoting Clubhouse app for PC to deliver the malware. Again, attackers have used the same tactics because the PC version of the Clubhouse app is not yet released.
It is worth noting that threat actors are always looking to exploit the popularity gained by certain apps to lure innocent users into downloading malware. The Clubhouse app boasts over 8 million downloads so far. Therefore, it has become the current favorite of cybercriminals.
Just a couple of weeks ago, Hackread.com had reported about BlackRock malware disguised as an Android version of the Clubhouse invite-only audio chat app, while ESET researchers revealed there wasn’t any Android version of the app released. This app was available on iPhones only.
Malicious New Facebook Ads Campaign
TechCrunch reported that several Facebook pages are being used to post ads tied to the Clubhouse app. When the recipient clicks on the ad, it opens a fake Clubhouse website showing a screenshot of the non-existent PC version of the app and a download link.
Naturally, unsuspecting users will click on the link considering it a legit version of the app. Upon opening, the app creates a connection with its C&C server and receives instructions on what to do next. As per TechCrunch’s sandbox analysis of the malware, the malicious app deployed ransomware on the infected device.
Nine Ads Posted So Far
In total, nine ads were posted via fake Facebook profiles between Tuesday and Thursday. Most of the ads stated a similar tagline that read: Clubhouse “is now available for PC.” Some featured a photo of app co-founders Paul Davidson and Rohan Seth.
The ads were later removed from Facebook’s Ad Library. How they made it to user profiles and evaded Facebook’s authentication processes is yet unclear.
Fake Clubhouse Websites Currently Offline
TechCrunch also revealed that the fake Clubhouse app websites, which were hosted in Russia, went offline in an interesting turn of events and the malware also stopped working after receiving an error from the server.