SILENTFADE: UNVEILING A MALWARE ECOSYSTEM THAT TARGETED... KARVE & URGILEZ
2 VIRUS BULLETIN CONFERENCE SEPT - OCT 2020
INTRODUCTION
All successful malware campaigns require a medium for proliferation. Originally, malware relied on emails, software
piracy over peer-to-peer services, and autorun functionality from removable drives, among others, to spread. While many of
these forms are still used today, they have evolved to use cross-site scripting, ‘malvertising’, smarter email responses to
existing threads [1], messaging services [2], and even remote code execution (RCE) exploits across a variety of file formats
and protocols [3, 4]. With the rise of social networks in the last 15 years, malware authors have recognized a new attractive
surface for worm-like functionality. Two thirds of all Internet users use social media platforms [5] today, and it’s no
surprise that these services have caught the attention of cybercriminals looking for access to potential victims (by infecting
their devices to compromise online accounts).
Koobface [6] emerged in 2008 as one of the first malware families to leverage social networks to spread. Bredolab/
FakeScanti [7] soon followed by using fraudulent emails appearing to originate from Facebook to infect unsuspecting
users. Dorkbot/SDBot [8] and BePush [9] appeared a few years later and tricked users into clicking malicious links via the
Facebook messaging service sent from infected computers by injecting malicious JavaScript code within the Browser
Document Object Model (DOM). FaceLiker [10] took a different approach by using infected users to ‘like’ and follow
Facebook pages without their knowledge, a practice referred to as ‘fake engagement’ [11]. Later, malware campaigns
gradually shifted from stealing all credentials available on an infected machine to prioritizing credentials from social
networks. Even seasoned infostealers like Qakbot [12] began to look explicitly for Facebook credentials in its man-in-the-
browser (MitB) component.
Most of these threats simply used social networks to spread and did not depend on them for monetization. However, a new
group has appeared on the cybercrime scene whose sole objective is to target users of social networking services for ad
fraud, sales of counterfeit goods, pharmaceutical pills, and fraudulent product reviews.
This paper dives into a new malware family we’ve coined as ‘SilentFade’ – based on its focus on silently running Facebook
ads. For some users this exploit was made more persistent through leveraging a short-lived bug to suppress notifications so
that the infected users cannot be notified of suspicious activity. Facebook first detected SilentFade during the final week of
2018, leading to the bug the attackers had used to suppress notifications of suspicious user activity being patched shortly
after, the affected ad dollars being refunded, and ultimately leading to legal action in December 2019 against the
individuals behind this cybercriminal group. We also discovered a web of other malware families likely connected to
SilentFade [13]. We assess that the SilentFade group first appeared in early 2016, and has since consistently been
experimenting and evolving their malware writing skills sets as they add support for newer Facebook features and expand
to other social networks and web services.
We will dive deeper into SilentFade’s ‘page block’ exploit used for persistence, describe post-infection behaviours,
post-enforcement adaptations of the malware operators, and discuss challenges associated with malware detection for web
services across the Internet.
The goal of this paper is to introduce and raise awareness of this new malware actor group. We hope this sparks
opportunities for web platforms and the anti-malware community to partner and make the Internet safer.
SILENTFADE
While we do not believe the malware’s use was exclusive to Facebook, we internally named the malware family SilentFade
to represent its purpose of ‘Silently running Facebook ADs with Exploits’. The December 2018 variant [14] of SilentFade
is the most notable due to its on-platform persistence features. Later in this paper, you will see how the malware, upon
off-platform device-level infection, disabled victims’ Facebook-initiated notifications, exploiting a (since fixed) server-side
validation bug and creating an irreversible state where users could not receive any notifications from Facebook regarding
suspicious activity originating from their accounts. SilentFade would then run malicious ads using compromised accounts
without victims noticing due to the notifications being suppressed.
SilentFade is not downloaded or installed by using Facebook or any of its products. It is often bundled with potentially
unwanted programs (PUP) in pirated copies of popular software, and is likely downloaded by other malware as well. As a
result, users unwittingly compromised their own computers by downloading and installing the malware with other pirated
software. Figure 1 shows an example of a web page leading to the download of SilentFade.
SilentFade consists of three to four components, with the primary downloader component being included in PUP bundles.
The downloader application either downloads a standalone malware component or a Windows service installed as either
‘AdService’ or ‘HNService’. The service is responsible for persistence across reboots and for dropping 32-bit and 64-bit
version DLLs (usually as winhttp.dll [15, 16] or winmm.dll [17, 18]) in Chrome’s application directory. This is done for the
purpose of DLL hijacking so that the malicious DLL is loaded by Chrome in place of the real winhttp.dll. The DLL proxies
all make requests to the real winhttp.dll but makes requests to facebook.com through the Chrome process, evading dynamic
behaviour-based anti-malware detection by mimicking innocuous network requests.
The purpose and overview of the SilentFade operation is outlined in Figure 2.