A recent ‘malverposting’ campaign linked to a Vietnamese threat actor has been ongoing for months and is estimated to have infected over 500,000 devices worldwide in the past three months alone.
What is Malverposting?
Malverposting is the practice of distributing malware to a large number of people through promoted social media posts on platforms like Facebook, Twitter, and Instagram.
How does the campaign infect devices?
The campaign uses promoted social media posts and tweets to distribute malicious software and other security threats to unsuspecting users. Malverposting involves using promoted social media posts to spread malware and other threats to a larger target pool.
Through these accounts, they served sponsored posts that offered free downloads of adult-rated photo albums in ZIP format. However, the ZIP file contains executable files that trigger an infection chain when opened. The Stealer malware is then downloaded dynamically from C2 servers using curl and 7zip binaries, which are hidden inside the original ZIP payload. The malware can steal sensitive information, including session cookies and account data.
Tal clarified that the team observed several variations of the latest payload, yet all shared a benign executable file to start the infection flow.
“The malicious payload is quite sophisticated and varies all the time, introducing new evasive techniques,” the security expert wrote.
The findings come as Group-IB revealed details of an ongoing phishing operation that’s aimed at Facebook users by tricking them to enter their credentials on fake copycat sites designed to steal their account credentials and take over the profiles.