Threat Actor Behind Malverposting Campaign Infects 500K Devices

Over the past three months, a Vietnamese threat actor has been attributed to a "malverposting" campaign on social media platforms that has infected over 500,000 devices worldwide. According to reports, the campaign was launched to deliver variants of information stealers such as S1deload Stealer and SYS01stealer.

The campaign, which has been dubbed "malverposting," is a combination of the terms "malvertising" and "posting," and refers to a tactic used by cybercriminals to spread malware through social media platforms. Malverposting involves posting ads or sponsored content on social media platforms that contain links to malicious websites. Once users click on these links, they are redirected to a website that infects their device with malware.

Malverposting Campaign used Facebook Ads

According to a report by cybersecurity firm Guardicore Labs, the Vietnamese threat actor behind the malverposting campaign used Facebook Ads to distribute their malware. The threat actor would create fake Facebook profiles and pages and use them to run ads promoting fake products or services. These ads would contain links to malicious websites that would infect users' devices with information stealers.

The information stealers used in the malverposting campaign were designed to steal sensitive information such as login credentials, financial information, and personal data. The stolen information would then be sent back to the threat actor's command-and-control servers, where it could be used for further malicious activities.

Guardicore Labs identified two main variants of information stealers used in the malverposting campaign. The first variant, S1deload Stealer, was designed to steal login credentials and other sensitive information from web browsers and cryptocurrency wallets. The second variant, SYS01stealer, was designed to steal sensitive information from the Windows operating system, including login credentials and financial data.

According to the report, the malverposting campaign was highly effective, with over 500,000 estimated infections worldwide. The majority of the infections were in Southeast Asia, particularly Vietnam, where the threat actor is believed to be based. However, infections were also reported in other parts of the world, including the United States, Europe, and Africa.

The malverposting campaign highlights the growing trend of cybercriminals using social media platforms to spread malware. Social media platforms are attractive targets for cybercriminals because they offer a large and diverse user base, making it easier to spread malware to a wide audience. In addition, social media platforms are often less secure than other online platforms, making them more vulnerable to cyber attacks.

To protect themselves from malverposting and other types of malware, users should be cautious when clicking on links or ads on social media platforms. They should also ensure that they have up-to-date antivirus software installed on their devices and regularly scan their devices for malware.

Organizations can also take steps to protect themselves from malverposting and other types of malware. They should ensure that their employees are trained to recognize and avoid phishing and other social engineering attacks. They should also implement security measures such as firewalls, intrusion detection and prevention systems, and endpoint protection solutions to detect and block malicious traffic.

Guardicore Labs confirmed "On initial detection, we’ve shared the details and worked together with Meta’s engineering and research teams who were super responsive, taking immediate actions to stop the propagation of this campaign in their ad network."