Facebook company
SilentFade
Unveiling a Malware Ecosystem
Targeting the Facebook Ad Platform
1
Sanchit Karve
Jennifer Urgilez
facebook
Facebook company
2
1. Background: Malware Targeting Social Network Accounts
2. SilentFade Features
3. On-Platform Persistence
4. Post-Compromise Abuse
5. A Larger Ecosystem of Malware Targeting Social Network Users
6. Attribution
7. Closing Thoughts
Agenda
Facebook company
APTs
Targeted Attacks against Individuals and/or
Organizations
PUAs and Backdoored Apps
Data Scraping, Fake Engagement
CRIMEWARE
Worms
Platform used as propagation vehicle
Access
Harvesting FB credentials from infected
devices
2008
koobface: Windows & Mac versions
InfoStealer.Gampass
2009
Bredolab/FakeScanti
2012
Dorkbot/SDBot
2014
FaceLiker
BePush
2015
Qakbot + Man-in-the-Browser support for Facebook
Malware Affecting FB Users
Background
Novel Malware Impacting FB Users
Facebook company
A new group emerged in early 2016
Amateur malware developers but rapidly improving
Generally High AV detection rate but can require special repair procedures
Malware targeted towards Social Network users and Tech Platforms
Facebook, Instagram, Twitter and (more recently) Amazon
Linked to at least three evolving malware families
Graph API Queries
Infrastructure setup, Data Exfiltration format
Platform-specific techniques
4
SilentFade
Background
Facebook company
Facebook Graph API is the primary API apps
use to read and write to the Facebook Social
Graph.
All Facebook SDKs and Products use the
Graph API in some form.
Documentation and Usage:
https://developers.facebook.com/docs/graph-api/
5
Graph API
Background
Prototyping Queries with Graph API Explorer
https://developers.facebook.com/tools/explorer/
Facebook company
Easiest method to query the Graph API is to perform
a HTTP GET request to graph.facebook.com
Graph API Query from Screenshot is of form:
6
Graph API Query in a Sample
Background
https://graph.facebook.com/v{version}
/act_{ad_account}
?access_token={token}&
_reqName={endpoint}&
_reqSrc={source}&
_sessionID={sessionID}
&fields={query_string}
&include_headers={bool}&
locale={locale}&
method={get/post}&
pretty={bool}&
suppress_http_code={bool}
Facebook company
SilentFade
Silent Facebook ADs + Exploit
Facebook company
Timeline
Active since 2016 with major updates from Dec 2018
Page Block Exploit released on Dec 22, 2018
MMX instructions-based string obfuscation after bug fixed
Support for Instagram and Amazon Cookies added in 2019
Infection Vector
Arrives on victim devices via Adware bundles and pirated software installers
Possibly downloaded by other malware
Purpose
Run Malicious Ads using Compromised Accounts and linked victim payment methods
Damages
Losses due to credit card chargebacks and refunds to malware victims for ad fraud
8
Overview
SilentFade
Facebook company
PUPs/PUAs: Adware bundlers
Monetization via PPI networks such as
LoadMoney
InstallCapital
others
Pirated software from Torrents
Likely downloaded by other malware
9
Infection Vector
SilentFade
Facebook company
Compromise Facebook Account
Credential stealer in the form of Raw Credentials and Cookies
Linked Payment Info on Facebook Account
Retrieve Lifetime spend on Ads
Retrieve Number of Friends and profile information
Retrieve Information about Owned Pages and Business Managers
Disable all controls to inform user of unauthorized activity
Disable Account and Page Notifications via push, SMS, and email
Block FB Business and FB Login Alerts pages from messaging users
Exploit bug to block pages as users
Persistence On Compromised Device
Contains Service/Daemon component and DLL injected into browsers w/ watcher components
10
Features
SilentFade
Facebook company
Extracted from SQLite Data Stores from
Chromium-based browsers
Firefox
IE/Edge
Passwords are encrypted in DB
Passwords in Chromium-based SQLite
credential stores are encrypted using
CryptProtect* Win32 APIs
SilentFade decrypts them on read
11
Credential Theft
SilentFade
Facebook company
Extracted from SQLite Data Stores from
Chromium-based browsers
Firefox
IE/Edge
Cookies are encrypted in DB
Cookies in Chromium-based SQLite credential
stores are encrypted using CryptProtect*
Win32 APIs
SilentFade decrypts them on read
Only Facebook cookies are stolen
12
Session Theft
SilentFade
Facebook company
Access Tokens Extracted from Ads Manager App
Ads Manager is a Facebook Platform app for
managing ads
Access token is available in page content at
https://www.facebook.com/adsmanager/
Cookies previously extracted by SilentFade are
appended to HTTP request
With a valid session cookie, the request is made as
an authenticated or logged-in user.
Once Access Token is extracted, Graph API queries
can be made with it
13
Access Token Theft
SilentFade
Facebook company
14
Retrieve Summary of Linked Payment Methods
SilentFade
Determine Account Value
Does the user have a linked payment
method?
Credit Card
PayPal Account
Bank Account
Note: Payment Method Details are not stolen
they are not visible even with access to account.
Presence of existing account balance?
Accounts are more valuable with
linked payment methods as attackers
can run ads from the compromised
accounts.
Facebook company
Stolen information organized internally as JSON
Data encrypted, custom-encoded and sent over to C&C
servers through custom headers over HTTPS
Relevant Information collected
Channel ID (Campaign ID)
Has the user ever run ads on Facebook?
Does the user have linked payment accounts?
Credit cards, Bank Account or PayPal?
Total Friends
Does the user have a Business Manager?
Does the user own any Facebook Pages?
Does the user have existing Ad Credit?
The Users Total Ad Spend
15
Data Sent to C&C Servers
SilentFade
Facebook company
SilentFade: On-Platform Persistence
Facebook company
All Notifications are disabled upon infection
Allows attackers to use the compromised account
without arousing suspicion
Notifications Disabled
Notification Sounds
SMS
Email
In-App Push Notifications
Messages sent to Owned Pages
17
Disable User Notifications
SilentFade: On-Platform Persistence
Facebook company
Facebook Login Alerts Page
Sends you push notifications and messages
via Messenger on suspicious or unrecognized
login events
Facebook Business Page
Sends you push notifications and messages via
Messenger for status updates and CTAs on ads
currently being run.
18
Facebook Login Alerts & Facebook for Business Pages
SilentFade: On-Platform Persistence
Facebook company
Facebook Login Alerts Page
Blocked to prevent user from receiving alerts
about suspicious login events
Facebook Business Page
Blocked to prevent user from receiving alerts
about ad activity originating from account
Bug Exploited
Page IDs are blocked as Users
19
Page Block Exploit
SilentFade: On-Platform Persistence
Facebook company
20
Page Block Exploit In Action
SilentFade: On-Platform Persistence
Bug: Pages Blocked as Users
Caused by missing server-side
validation of ID during Block
Request
Server-side validation present
during Unblock Request
As a result, Pages blocked “as users”
cannot be unblocked by users
Users do not receive notifications for
Suspicious Logins
Ad Activity
Facebook company
Bug Fixes and Countermeasures Implemented
Full remediation of compromise vector
Page Block bug fixed upon discovery
Security-related pages can no longer be
blocked
All accounts with detected infections are
checkpointed” (notified and sessions killed)
Several minor back-end changes to prevent
additional abuse
Samples after bug fix stopped including page
block exploit or any notification setting
disabling code.
21
Remediation
SilentFade: On-Platform Persistence
Facebook company
SilentFade: Post-Compromise Abuse
Facebook company
23
Attack Cycle
SilentFade: Post-Compromise Abuse
Facebook company
Type of Ads
Counterfeit Products
Celeb-Bait
Male Enhancement Scams
Pharmaceutical Pills (Diet, Keto)
24
Ads Run By SilentFade
SilentFade: Post-Compromise Abuse
Ad Surfaces
Facebook Newsfeed and Stories
Instagram Newsfeed and Stories
Facebook Audience Network (Shown in Mobile Apps)
Ad Formats
Images (often distorted)
Videos (often distorted)
Carousels
Facebook company
An Example of Ad Targeting
Targeted adult users in Australia
To be displayed in newsfeed on mobile
Initial Domain: epsdemo[.]com
Cloaking Technique
Is the IP address from Australia?
Is the request from a mobile device?
Is the click originating from Facebook?
Ad Creatives
Intentionally distorted images and
Videos to throw off classification
systems
25
Cloaking in Action
SilentFade: Post-Compromise Abuse
Facebook company
Evading Automated Redirection Detection Systems
JavaScript can use the history.pushState()
function to add URLs to the browsers history
stack.
Users are likely to click the “Back” button on their
mobile browsers once they visit an unwanted or
unintended page.
Pressing the “Back” button takes the user to the
“money page”.
Also used to force user to stay on page by
pushing the same URL on the stack multiple
times.
URL Redirection Systems may miss the final
redirect due to the nature of this technique
26
Abusing the JavaScript History API
SilentFade: Post-Compromise Abuse
Facebook company
SilentFade: Signs of a Larger Malware Ecosystem
Facebook company
SilentFade: Signs of a Larger Malware Ecosystem
Chinese Malware Families Targeting Facebook Users
Timeline of Related Malware
SuperCPA
Apr 2016
2016
2017
2018 2019 2020
FB + Twitter
Apr 2017
Page Block
Dec 2018
Exploit
Removed
Apr 2019
Obfuscated
Strings
Jun 2019
BitBucket
Downloader
Jul 2019
NetSys
May 2020
NetSys
Dec 2019
SilentFade
DiskScan
Dec 2018
StressPaint
Apr 2018
FB Only
Oct 2017
PDFReader
Feb 2019
PDFReader
Feb 2019
CHCookie
Dec 2019
CHCookie
Jun 2020
FBRobot
.NET
Jun 2019
FITBot
Jan 2020
Scranos
Apr 2019
???
??? 2020
StressPaint
FBRobot
Scranos
Same typos in
code as SFade
First use of Graph API & Page
Block Exploit
Same GraphAPI
Query as SFade
Steals Amazon Cookies
Business Manager Support
String Obfuscation
like SilentFade
.NET based AdClicker
Uses FB Pages to link
to additional malware
FB + IG + Twitter
VB6-based
Credential Theft
DOM Injector
Rootkit
2017
2016
2018
2019
2020
C/C++
Delphi, then
C/C++
C# .NET
VB6
Facebook company
29
Related Malware: FacebookRobot
SilentFade: Signs of a Larger Malware Ecosystem
FacebookRobot + NetSys
FacebookRobot and NetSys samples are written in C# and C++ respectively
Both share C2 server, AES crypto and key
Attackers love to experiment with different languages
Facebook company
Anti-VM code unique to this ecosystem
The Approach is very common
Detection using Display Driver Description
But the implementation is unique
DirectX9 APIs used
Anti-VM code recreated in C in slide image.
25/10/2019 Document name 30
Unique Anti-VM Code
SilentFade: Signs of a Larger Malware Ecosystem
Facebook company
SilentFade Attribution
Facebook company
Dealing with Malware for a Web Service
Zero Visibility into Endpoint Devices
Web Services are not Anti-Malware Products
We can’t measure what we can’t see
Decoupled and open nature of WWW makes it possible to spoof traffic
coming from any app or device
How do we know if traffic is legitimate?
Benign and Malicious activity originates from the same device
Limited value in forcing password resets as device is already
compromised by malware.
2FAC/MFAC doesn’t matter as malware steals post-authentication
session cookies.
32
Malware Challenges for Web Services
SilentFade Attribution
Facebook company
Library Code Maintained on GitHub
Compile timestamps were reliable.
Most library code used in SilentFade
samples found in a GitHub
Repository.
Discovered samples in the wild w/
code from GitHub repo before the
repository was created on GitHub
33
SilentFade Code
SilentFade Attribution
Facebook company
Compromise Facebook Account
PE Resource Code Pages set to
Simplified Chinese.
Locale within code set to Simplified
Chinese
PDB paths consistent across older
variants
Same user found posting code in a
Chinese-language programming
forum
34
SilentFade Developer
SilentFade Attribution
Facebook company
Maintainers found looking for
desktop installs
Individuals connected with
SilentFade found on forums
looking for channels to
distribute the malware using
PPI networks
35
Pay-Per-Install (PPI) Traffic
SilentFade Attribution
Facebook company
36
Legal Action
SilentFade Attribution
https://about.fb.com/news/2019/12/taking-action-against-ad-fraud/
https://www.reuters.com/article/us-facebook-ilikead-lawsuit/facebook-sues-ilikead-alleges-ad-fraud-
idUSKBN1Y92IR
https://www.zdnet.com/article/facebook-sues-chinese-malware-operator-for-abusing-its-ad-platform
https://www.businessinsider.com/facebook-china-ilikead-compromised-run-fake-ads-2019-12
Facebook company
GitHub Account taken down by actor.
New C&C servers and communication
protocol
Code rewritten from scratch but
(currently) offers same functionality.
DirectX based Anti-VM detection features
added.
37
Updates since Legal Action
SilentFade Attribution
Related malware families evolve with newer features,
SilentFade appears to have morphed to “NetSys” with MMX-
based string obfuscation
Instagram credential theft and session compromise code
added
Twitter Account Compromise functionality resurrected.
Facebook company
User Education is Key
Endpoint Protection Products (AV) can recommend that users change credentials upon malware detection.
Notify users which online accounts could’ve been compromised based on data in credential stores
Cross-Industry Collaboration and Partnership
Monitoring and Sharing Credential dump sharing is no longer enough
Include the ability to monitor, share and ingest cookies as well
Endpoint protection solutions can inform browser or web services directly upon infection
New APIs needed for Endpoint solutions to communicate device compromise to Browser and for
Browser to communicate account compromise with web services.
Keep Sharing IOCs
Continue sharing IOCs and publishing Threat Reports
38
Where do we go from here?
Closing Thoughts
Thank You!