Full Report
A persistent malvertising campaign is plaguing Facebook, leveraging the reputations of well-known cryptocurrency exchanges to lure victims into a maze of malware. Since Bitdefender Labs started investigating, this evolving threat has posed a serious risk by deploying cleverly disguised front-end scripts and custom payloads on users’ devices, all under the guise of legitimate cryptocurrency platforms and influencers. This report unveils how the attackers use advanced evasion tactics, mass brand
Analysis Summary
# Tool/Technique: Malvertising Payload Delivery System (Custom)
## Overview
A sophisticated, multi-stage malvertising campaign utilizing Facebook Ads to impersonate major cryptocurrency platforms (e.g., Binance, TradingView) to trick users into downloading custom malware payloads under the guise of legitimate desktop clients. The system focuses heavily on advanced evasion, user tracking, and forensic decontamination of the initial web delivery mechanism.
## Technical Details
- Type: Attack Framework/Delivery System (Leveraging custom malware components)
- Platform: Windows (Execution environment based on MSI installer and .NET server)
- Capabilities: Mass brand impersonation, anti-sandbox checks, geo/behavioral targeting, remote code execution via local proxy/server.
- First Seen: Ongoing, operating for several months prior to the report.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.002 - Spearphishing Link
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information
- T1497 - Virtualization/Sandbox Evasion
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied by front-end interaction)
- TA0002 - Execution
- T1547 - Boot or Logon Autostart Execution (Implied persistence via custom installation/task setup)
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (via Task Scheduler execution)
## Functionality
### Core Capabilities
- **Social Engineering & Brand Impersonation:** Creating hundreds of highly convincing fake advertisements and landing pages mimicking brands like Binance, TradingView, ByBit, SolFlare, and MetaMask.
- **Delivery via Malicious Download:** Luring users into downloading a file named `installer.msi` (approx. 800kb).
- **Front-End Evasion:** The initial website only serves malicious content if specific query parameters (`utm_campaign`, `fbid`, `cid`, etc.) from the originating Facebook Ad are present. Otherwise, it serves benign content.
- **Targeted Delivery:** Checks for user login status on Facebook and filters based on demographic/behavioral profiles (e.g., male, interested in tech/crypto).
- **Browser Locking:** Newer variants require the site to be opened specifically in Microsoft Edge; other browsers receive non-malicious content.
### Advanced Features
- **Local Proxy/Server Establishment:** After installation, the malware uses `msedge_proxy.exe` to open the impersonated page, simultaneously launching a suspicious DLL that establishes a local .NET-based server on ports 30308 or 30303.
- **Remote Payload Execution:** The local server exposes two API endpoints for remote command delivery:
- **/set (or /s):** Receives an XML-formatted payload executed via Windows Task Scheduler.
- **/query (or /q):** Executes custom WMI queries and exfiltrates the machine ID along with query responses.
- **Anti-Analysis Looping:** The system employs a looped PowerShell task that fails to download the final payload in dynamic analysis environments, contributing to obfuscation.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the context]
- File Names: `installer.msi`
- Registry Keys: [Not explicitly provided in the context]
- Network Indicators: Local server listening on ports 30308 or 30303.
- Behavioral Indicators: Execution loop involving PowerShell that stalls payload download in analysis environments; use of `msedge_proxy.exe` post-installation; local server offering /set and /query functionalities.
## Associated Threat Actors
- Unknown threat actors leveraging cryptocurrency hype and large-scale Facebook advertising infrastructure. (No specific APT group named).
## Detection Methods
- **Signature-based detection:**
- `Generic.MSIL.WMITask` (for malicious DLLs)
- `Generic.JS.WMITask` (for malicious JavaScript on websites)
- `Trojan.Agent.GOSL` (for malicious JavaScript in the final-stage payload)
- **Behavioral detection:** Monitoring attempts to establish local servers on ports 30308/30303; monitoring processes calling WMI in suspicious ways; detection of attempts to create persistent tasks via Task Scheduler immediately following an MSI installation.
- **YARA rules:** [Not explicitly provided in the context]
## Mitigation Strategies
- **Scrutinize Ads:** Exercise extreme caution with ads promising quick financial gains or free software; always verify the source.
- **Use Official Sources Only:** Download all software, especially cryptocurrency wallets or trading clients, directly from the vendor’s official website.
- **Utilize Scam Checking Tools:** Employ tools like Bitdefender Scamio or Link Checker to verify URL legitimacy before interaction.
- **Browser Caution:** Be wary if a website mandates the use of a specific browser (like Edge) or presents itself as polished but non-functional.
- **Maintain Security Software:** Ensure security solutions are updated to detect evolving threat signatures and behaviors.
## Related Tools/Techniques
- Malvertising Campaigns
- Brand Impersonation Attacks
- Client-side filtering based on HTTP parameters