Facebook claims that a Chinese company is responsible for operating SilentFade malware and the malicious ad-fraud campaign.
Facebook’s security experts discovered a sophisticated Chinese-sponsored malware campaign stealing millions of dollars from users through SilentFade malware in 2018.
Facebook’s security team successfully shut down the malicious scheme and shared the scam’s full details at last week’s Virus Bulletin 2020 security conference.
The social network’s security researchers Sanchit Karve and Jennifer Urgilez revealed that the campaign was most active from late 2018 to Feb 2019 but could be operational from 2016.
SilentFade is a shorter version of Silently running Facebook Ads with Exploits. The malware can steal Facebook credentials and web browser cookies. The malware helped hackers siphon $ 4 million from user’s advertising accounts.
According to Facebook’s security team, the attackers hijacked users’ Facebook accounts through malware and used them for purchasing ads on behalf of the users. Facebook’s team also noted that the malware wasn’t limited to Facebook only. Its operations were noticed in December 2018 when suddenly there was an increase in suspicious traffic around several Facebook endpoints.
A sample carousel of ads run by accounts infected by SilentFade malware
During their investigation, Facebook’s team identified various interesting techniques that the malware used for compromising user accounts. The main objective was to commit ad fraud, and run ad campaigns, sometimes as pharmaceutical pills ads and fake celebrity endorsements.
Moreover, the malware’s initial attack vector wasn’t Facebook or its products, as it came bundled with PUPs (potentially unwanted programs). Since all Chromium and Firefox browsers store cookies and credentials in the SQLite database; malware running on an infected endpoint can easily access the cookie store if it can determine its location in different browsers.
There were three to four components of the malware, and its main downloader was included in PUP bundles.
This was a multi-stage malware scheme in which a Windows trojan was used to infect computers, then hijacked web browsers to access cookies and credentials. Through SilentFade, attackers could only steal Facebook-specific passwords and cookies.
Hence, it worked on Internet Explorer, Firefox, and Chromium. Using the data, the hackers trawl through user accounts on Facebook to find those having payment methods attached for viewing paid advertisements. Such accounts were used to purchase ads. The stolen data was stored on a C&C server while the attackers logged the incoming requests’ IP address for tracking geolocation.
Within a few months, hackers managed to buy ads worth more than $4million. Since SilentFade involved multiple evasion techniques, it can detect virtual machines and disable Facebook notification alerts on hijacked accounts.
Facebook claims that financial data like credit card numbers or bank account details were safe because Facebook never exposes them through its desktop website or the Graph API. The social networking giant traced the Chinese company that operated this campaign and sued it and the two developers in December.