Guardio Labs has attributed a “malverposting” campaign on social media platforms to a Vietnamese threat actor who has infected over 500,000 devices globally with variants of information stealers. Malverposting involves the use of promoted social media posts to propagate malicious software and other security threats, with attackers creating new business profiles and hijacking popular accounts to serve ads that offer free adult-rated photo album downloads.
These files contain images that are actually executable files, which when clicked activate the infection chain, ultimately deploying the stealer malware to steal session cookies, account data, and other information.
This attack chain is highly effective, creating an expanding army of hijacked Facebook bot accounts used to push more sponsored posts, thereby scaling the scheme further. The threat actor has been found to pass off the newly generated business profile pages as photographer accounts to evade detection by Facebook.
The PHP-based stealer’s deployment method is continuously evolving to include more detection evasion features, indicating that the campaign’s perpetrator is actively refining and retooling their tactics in response to public disclosures.
The findings come amid an ongoing phishing operation aimed at Facebook users, tricking them into entering their credentials on fake copycat sites that steal their account credentials and take over their profiles.
Additionally, Malwarebytes has discovered a malvertising campaign that tricks users searching for games and food recipes on Google, redirecting them to fake Weebly websites that conduct tech support scams.
These attacks highlight the increasing sophistication and evolving tactics of threat actors, underscoring the need for continued vigilance and improved cybersecurity measures.
