Threat Research

“Uncovering a Malicious Facebook Ad Campaign Targeting Bitwarden Users: Insights from Bitdefender Labs”

BitDefender

Summary:

Throughout 2024, Bitdefender Labs has identified a series of malvertising campaigns exploiting platforms like Facebook to distribute malware disguised as legitimate applications. A notable campaign involves a fake Bitwarden extension that lures users into installing harmful software by impersonating a security update. This campaign targets a wide demographic across Europe and utilizes deceptive ads, redirect chains, and extensive data collection methods to compromise user security.

Keypoints:

  • Bitdefender Labs is monitoring malvertising campaigns throughout 2024.
  • Fake advertisements on Facebook lure users into installing malware disguised as legitimate software.
  • The campaign impersonates Bitwarden, creating urgency for users to install a “security update.”
  • Target demographic includes consumers aged 18 to 65 across Europe.
  • Malicious ads have the potential for global expansion.
  • Users are redirected through multiple sites to a phishing page mimicking the Chrome Web Store.
  • The malware collects personal data and targets Facebook business accounts.
  • Attackers manipulate users into sideloading the malicious extension by bypassing browser security checks.
  • The extension requests extensive permissions to intercept online activities.
  • Data collection includes Facebook cookies, IP and geolocation data, and user information via Facebook’s Graph API.
  • Detection strategies include monitoring suspicious permissions and behavioral signatures.
  • Users are advised to verify extension updates and scrutinize ads before clicking.
  • Bitdefender Scamio is recommended for scam detection and protection against malicious ads.

    • MITRE Techniques

  • Phishing (T1566): Utilizes deceptive advertisements to lure users into installing malware.
  • Credential Dumping (T1003): Collects Facebook user credentials through malicious extensions.
  • Exploitation of Vulnerability (T1203): Exploits browser vulnerabilities by sideloading malicious extensions.
  • Data from Information Repositories (T1213): Gathers sensitive user data from Facebook accounts.
  • Command and Control (T1071): Uses Google Script URL as a command-and-control server for data exfiltration.

    • IoC:

  • [url] facebook[.]com
  • [url] api.ipify[.]org
  • [url] freeipapi[.]com
  • [url] graph.facebook[.]com
  • [file name] service-worker-loader.js
  • [file name] background.js
  • [file name] popup.js
  • [tool name] Bitdefender Scamio

    • Full Research: https://www.bitdefender.com/en-us/blog/labs/inside-bitdefender-labs-investigation-of-a-malicious-facebook-ad-campaign-targeting-bitwarden-users/

    Tags: SCAM, CREDENTIAL, COLLECTION, BROWSER, EXFILTRATION, TOOL, EXPLOIT, PHISHING