A concerning cybersecurity threat emerges as threat actors manipulate paid Facebook promotions featuring Large Language Models (LLMs) to propagate malicious code, aiming to implant a malevolent browser add-on and pilfer sensitive user credentials.
While LLMs gain widespread attention due to the rise of general artificial intelligence, the adoption of such technologies also provides fertile ground for cybercrime. In this detailed analysis, a cyber attack campaign is unveiled where threat actors misuse paid promotions on Facebook to propagate malicious code. These attackers ingeniously employ URL shorteners, Google sites, and cloud storage services for their malicious endeavors.
The researchers behind this discovery collaborated with Meta, uncovering the tactics, techniques, and procedures (TTPs) of this specific threat actor, leading to the removal of reported fraudulent pages and ads. Meta is committed to fortifying its detection systems to thwart similar fraudulent activities, while also enhancing protection for businesses targeted by such malware across the digital landscape.
The attack vectors employed by the threat actor involve luring victims through paid Facebook promotions that showcase fabricated profiles of marketing entities. These fake profiles exhibit distinctive traits, including artificially inflated follower counts, counterfeit reviews, and a minimal online history.
Promising improved productivity, broader reach, and boosted revenue via AI integration, the fraudulent ads tempt users to click on them, leading to a deceptive website that touts the benefits of LLM technology. This webpage contains a link to download an alleged “AI package,” which, in reality, conceals a malicious archive.
To dodge antivirus systems, the threat actor distributes the package as an encrypted archive using simple passwords, often stored on cloud storage platforms. Analysis of the package reveals an MSI installer file that deploys a malicious Chrome extension upon execution, subsequently mimicking Google Translate to infiltrate users’ browsers.
