Now that Microsoft has improved protection against malicious macros by blocking them in Internet-delivered files by default, cybercriminals have had to explore other methods of distributing links to malicious websites hosting malware. There has been an increase in the use of malvertising to target web users and trick them into downloading malicious files, and SMS and instant messaging services are increasingly being used for distributing malware, which bypasses Microsoft’s macro protections and email security defenses.
One such campaign that is proving extremely effective is being conducted via Facebook Messenger and was recently detected by researchers at Guardio Labs. The campaign targets business users and tricks employees into downloading a compressed archive (RAR/ZIP), which contains a batch file that delivers a GitHub-hosted malware dropper. The dropper delivers Python-based malware and creates a standalone Python environment for the malware to operate. The binary of the malware is set to execute during system startup and has multiple layers of obfuscation making it difficult for anti-virus solutions to detect once installed.
The malware is an information stealer capable of obtaining cookies and passwords stored in the browser, which are collected, compressed into a zip archive, and then sent to the attacker via Telegram or Discord bot API. Once cookies and browser data have been stolen, the malware wipes cookies, logging the user out of their account. Once logged out, the stolen credentials can be used to log in to the accounts, and passwords are changed to prevent the account user from accessing them, giving the attacker time to misuse the accounts.
The campaign has proven to be highly effective. Around 100,000 phishing messages are being sent each week and the researchers believe that around 7% of business Facebook accounts have been targeted, with 0.4% of business accounts downloading the malicious file. The number of users that have executed the batch file is unknown, but the researchers suggest that around 1 in every 250 accounts have been infected.
One of the ways that businesses can protect against this attack is by using the WebTitan web filter. Facebook Messenger poses a security risk to businesses and can be a major drain on productivity, which is why many businesses block Facebook Messenger at work. WebTitan can be configured to Block Facebook and Messenger, or permit access to the Facebook site but block access to Facebook Messenger. Controls can be applied organization-wide, for user groups, or specific users.