How a Chinese malware gang cheated Facebook users for $ 4 million

Picture: Con Karampelas

At the Virus Bulletin 2020 security conference today, members of the Facebook security team revealed more information about one of the most sophisticated malware operations that has ever targeted Facebook users.

Known internally on Facebook as SilentfadeThis malware gang was active between late 2018 and February 2019, when Facebook’s security team detected their presence and intervened to stop their attacks.

SilentFade used a combination of Windows Trojans, browser injection, clever scripting and bugs in the Facebook platform, showing a sophisticated modus operandi rarely seen with malware that targets Facebook’s platform.

SilentFed’s operations were intended to infect users with Trojans, hijack users’ browsers, and steal passwords and browser cookies so that they could access Facebook accounts.

Once they arrived, the group searched for accounts that had any type of payment method linked to their profile. For these accounts, SilentFed purchased Facebook ads with victims’ funds.


Picture: Krave and Urgilez VB discussion

Despite being operated for only a few months, Facebook said that the group managed to defraud infected users of more than $ 4 million by posting malicious Facebook ads on the social network.

Ads, which usually appeared in the geographic location of the infected user, used a similar template, to limit their performance.

They used URL shorters and images of celebrities to lure users to sites selling shady products, such as weight loss products, keto pills, and more.


Picture: Crave and Urzilez VB talk

Facebook discovered SilentFed’s operations in February 2019, following reports of users of suspicious activities and illegal transactions originating from their accounts.

During a subsequent investigation, Facebook said it found the group’s malware, previous malware strains, and dating campaigns dating back to 2016, and even tracked the gang’s operations to a Chinese company and two developers, The company filed a lawsuit in December 2019.

Start of silentfed

According to Facebook, the Silentfeed gang began operating in 2016, when it first developed a malware strain called SuperCPA, which was primarily focused for Chinese users.

“Not much is known about this malware as it is fully powered by the downloaded configuration files, but we believe it was used for click fraud – thus costing CPA in this case Work – Refers through a victim install-base in China “Sanchit Karve and Jennifer Urgilez write in their SilentFed report.

But Facebook says the group dropped SuperCPA Malware in 2017 when they developed the first iteration of Silentfeed Malware. This early version infects browsers to steal credentials for Facebook and Twitter accounts, with a focus on verified and high-follow profiles.

But development on SilentFed picked up in 2018 when its most dangerous version and used in the 2018 and 2019 attacks.

How silentfed spread online

Karve and Urgilez say the gang spread the modern version of SilentFed by bundling it with legitimate software, which they offered to download online. Facebook said it found advertisements from two silentfed developers posted on hacking forums where they were willing to buy web traffic from hacked sites or other sources, and diverted this traffic to pages hosting silentleaf-infected software bundles And has been redirected.


Picture: Krave and Urgilez VB discussion

Once users are infected, the Trojan of SilentFed will take control of a victim’s Windows computer, but instead of misusing the system for more intrusive tasks, it has only allowed DLL files inside browser installations to malicious versions of the same DLL Replaced with, because the Silentfeed gang was allowed to control. Browser.

Targeted browsers included Chrome, Firefox, Internet Explorer, Opera, Edge, Orbitum, Amigo, Touch, Kometa, and Yandex Browser.

The malicious DLL steals credentials stored in the browser, but, more importantly, the browser session cookies.

SilentFed then used the Facebook session cookie to access the victims’ Facebook accounts, with neither a need to provide credibility nor a 2FA token, as a valid and pre-authenticated account holder.

Facebook platform bug

Here is where SilentFed showed its true sophistication.

Facebook said that the malware used clever scripting to disable many of the social network’s security features, and also detected and used a bug in its platform to prevent users from re-enabling disabled features.

Karve and Urgilez said that to prevent users from discovering that someone has accessed their account or is posting ads on their behalf, the Silentfeed gang has tried to access and disable the user’s Facebook settings section of the browser Used his control over:

  • Site notifications
  • Chat notification sounds
  • SMS notifications
  • Any type of email notifications
  • Page related information.

But Silentfeed did not stop here. Knowing that Facebook’s security system can detect suspicious activity and logins and notify the user via a private message, the Silentfeed gang has also blocked Facebook for business And Facebook login alert Accounts that send these private messages for the first time.


Picture: Crave and Urzilez VB talk

The SilentFed group discovered a bug in the Facebook platform and misused it every time a user tried to unblock accounts, triggering an error and preventing users from removing two account restrictions.


Picture: Crave and Urzilez VB talk

“This was the first time we saw malware actively changing notification settings, blocking pages, and exploiting a bug in a blocked subsystem to maintain persistence in a blocked account,” Facebook said.

“The exploitation of this notification-related bug, however, became a silver layer that allowed us to detect compromised accounts, measure the scale of silentfed infections, and misappropriate user accounts from early account compromises. Helped mapping for malware. “

Facebook returned to all users

Facebook said it has patched the platform bug, returned the notification-blocking functions of the malware, and returned all users whose accounts were abused to purchase malicious Facebook ads.

The company did not stop here either, and tracked the malware and its makers across the web throughout 2019. Clues were found in the GitHub account that Silentfeed was apparently hosting several libraries used to create malware.

Facebook created this account and ILikeAd Media International Company Ltd., a Hong Kong-based software company founded in 2016. And SilentFade tracked the malware and the two people behind it were Chen Xiao Kang and Huang Tao. Facebook sued the company and both the gods in a legal case in December 2019 which is still ongoing.

Facebook also said that SilentFed was part of a larger trend and a new generation of cybercrime people who live in China and are continuously targeting its platform and its juicy 2 billion userbase.

It also includes the likes of Skranos, FacebookRobot and Stresspaint.


Picture: Krave and Urgilez VB discussion