Back

January 29, 2024

Unmasking Deception: Malware Disguised as Meta Verification Tool

Social media scams have become an unfortunate reality, with malicious individuals and hackers constantly devising new tactics to exploit users' private data. In a disturbing development, fake Meta accounts have emerged as impostors, cunningly posing as the renowned social media giant. Their deceptive aim? To lure unsuspecting users into downloading counterfeit tools through fraudulent accounts, meticulously replicating Meta's appearance, complete with verified ticks on their profiles. Unbeknownst to the victims, these seemingly innocent downloads contain malware capable of infiltrating devices, allowing scammers to gain unauthorized access to users' social media accounts, granting them the ability to disseminate spam or unleash malicious content. 

Meta Verified is a comprehensive subscription verification program designed for Instagram and Facebook, offering a range of additional benefits such as live chat customer support and protection against account impersonation.

Figure 1 - Meta Verified for Instagram and Facebook.

On October 29, 2023, researchers at Nexusguard came across a Facebook Ad featuring a sponsored page that falsely claimed to provide a tool for assisting account owners in obtaining verification. The accompanying post displayed in the ad included a link and a code intended for unzipping the file.

Figure 2 - Sponsored Facebook Ad promising a cutting-edge Meta Verification Tool

The advertisement was shared on a compromised Facebook page, boasting a staggering 1.5 million followers at present.

Through the utilization of the page transparency feature, our team uncovered that the page in question was established on November 28, 2008.

Figure 3 – Facebook page transparency section

Upon closer examination, it became evident that the page was managed by two administrators, with one administrator residing in the United States, and the other based in Vietnam.

Figure 4 – Geographical Locations of Page Administrators

The Facebook advertisement shared by the Facebook page (Figure 1) included a link that, upon clicking, redirected visitors to hxxp[:]//www[.]canamexdrywall[.]ca/ai-tool-verifedpage.  

Figure 5 – Website featured on the advertisement

Upon accessing the aforementioned website, a RAR archive is downloaded automatically. The file is named "AI Page verification version 1.0.4.rar." After the file is successfully downloaded, it is extracted using the password provided in the advertised post.

Figure 6 – Website featured on the advertisement

Initial scans showed that the file was malicious with 17 out of 61 detections.

Figure 7 – Virustotal.com showed 17 out of 61 detections

In order to gain deeper insights into the malware, we conducted a meticulous dynamic analysis, encompassing the execution of the malicious software within a highly secure virtualized environment.

Figure 8 – Processes spawned during the execution of the malware

Upon careful examination, it became clear that the executed file generated a multitude of files within the directory  C:\Program Files\Google\Install\nmmhkkegccagdldgiimedpic\

Figure 9 – Files created by the malware

Following the creation of the files illustrated in Figure 8, the malware proceeded to execute ru.ps1, an intriguing PowerShell script. The contents of the PowerShell script are presented below for analysis and understanding.

The PowerShell script orchestrates the termination of Google Chrome, Microsoft Edge, and Brave browsers, while simultaneously installing a browser extension under the deceptive guise of "Google Translate." This clever disguise allows the extension to conceal its true intentions and motives.

Figure 10 – Malicious extension loaded into the Google Chrome browser

Decoding the Malicious Extension

The primary objective of the malware is to surreptitiously install a malicious extension on Google Chrome, cunningly masquerading itself as a genuine Google Translate extension.

Obfuscated version: https://pastebin.com/dWEVg85S 

De-obfuscated version: https://pastebin.com/FCZwkJ8W 

Figure 11 – Content of background.js

As depicted in the aforementioned example, the background.js file is intentionally obfuscated, serving as a clear indicator of its malicious nature. 

Our team successfully deciphered the obfuscated JavaScript, revealing its true contents. Preliminary analysis suggests that this insidious extension is designed to illicitly pilfer Facebook tokens, primarily with the intention of compromising and hacking Facebook accounts.

Figure 12 – Decoded background.js shows code to steal Facebook tokens

Figure 13 – Decoded background.js shows code to get victim IP address


The captured data, comprising the victims' Facebook tokens and IP addresses, is subsequently transmitted to hxxps[:]//managevds.com.

Upon conducting a thorough Google search on the domain managevds.com, we discovered that it has been blacklisted as a phishing website, indicating its malicious intent and potential threats it poses to users.

Figure 14 – Google search result shows that the domain is blacklisted

Conclusion

Our findings underscore the grave reality of perpetrators exploiting social engineering techniques to capitalize on the unwavering trust users place in popular social networking platforms. It is crucial for users to grasp the fact that appearances can be deceiving, even when dealing with seemingly legitimate services. As cybercriminals continue to refine their tactics with alarming sophistication, users must maintain constant vigilance, stay well-informed, and proactively adopt measures to protect their personal information and fortify their online identity. 

Furthermore, it is advised to refrain from downloading any files or clicking on links within paid advertisements until Meta takes effective measures to address and resolve this issue. Engaging with such content could potentially expose users to various risks, including malware, unauthorized access, or other malicious activities. It is strongly recommended to exercise vigilance and avoid interacting with suspicious or unverified links within paid advertisements on Meta. Keep a watchful eye for any official updates or announcements from Meta regarding the resolution of this problem.

Nexusguard, renowned for its resolute commitment to cybersecurity, goes beyond mere threat intelligence development through meticulous data gathering and analysis. Our comprehensive suite of web and network application security solutions stands as a formidable defense, proficiently detecting and obstructing malicious traffic, including those targeting Facebook ads. By leveraging our proactive measures, organizations gain a distinct advantage in staying ahead of the ever-evolving threat landscape, promptly identifying emerging attack techniques before they proliferate.

For uninterrupted visibility into your cyber risk and to explore our comprehensive offerings, visit Nexusguard today.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.