The SilentFade group used malware to buy ads on behalf of the hacked users.
At the Virus Bulletin 2020 security conference, members of the Facebook security team revealed details about one of the most sophisticated malware campaigns ever to target Facebook users. The cybercriminal group, dubbed SilentFade, used malware to buy ads on behalf of hacked users from late 2018 to February 2019.
SilentFade used a combination of Windows Trojan, browser injections, scripts and vulnerabilities in the Facebook platform, demonstrating a sophisticated method of operation rarely seen by criminals. The goal of SilentFade was to infect users with a Trojan, take over control of the browser, and steal passwords and browser cookies of users in order to gain access to Facebook accounts. After gaining access, the criminals began looking for accounts with a payment method linked to their profile and used the victim's funds to post malicious ads on the social network on their behalf.
Despite the fact that the campaign lasted only a few months, the criminals managed to steal more than $ 4 million from users.
According to experts, the criminals were distributing a modern version of the SilentFade malware bundled with legitimate software that they offered to download on the Internet. As soon as the SilentFade Trojan entered a user's Windows device, the hackers gained control over the victim's computer. However, instead of abusing the system for more intrusive operations, the malware only replaced legitimate DLL files in browser installations with malicious copies, allowing SilentFade to control the browser.
As noted on Facebook, the malware used scripts to disable many of the social network's security features and even discovered and then exploited a vulnerability in the platform to prevent users from re-enabling disabled features (site notifications, chat notification sounds, SMS notifications, email notifications). mail, notifications from the page).
Knowing that Facebook's security systems can detect suspicious activity and logins and notify the user via a private message, the SilentFade gang also blocked Facebook for business and Facebook Login Alerts, which sent alerts in private messages in the first place.
They investigated and found a GitHub account that allegedly hosted many of the libraries used to create the SilentFade malware. Facebook traced this account and the SilentFade malware back to ILikeAd Media International Company, a Hong Kong-based software company founded in 2016, as well as two of its employees, Chen Xiao Kong and Huang Tao. Facebook sued the company and two developers in December 2019, and the lawsuit is still ongoing.