The recent “Mulverposting” campaign associated with the Vietnamese threat actor has been underway for months and is estimated to have infected over 500,000 devices worldwide in the last three months alone.
The allegations come from security experts at Guardio Labs and were published in a blog post on Wednesday.
In it, the team describes Malverposting as “using promoted social media posts or tweets to spread malicious software or other security threats,” in this case Facebook’s It is the misuse of advertising services to deliver malware.
Nati Tal, Head of Cybersecurity at Guardio Labs, wrote:
Ad-Based Malicious Campaign Details: SYS01 Stealer Targets Critical Infrastructure with Google Ads
The Guardio team observed that the Vietnam campaign evolved various evasion techniques while relying on malicious posts. In particular, we focused on the United States, Canada, United Kingdom, and Australia.
“This threat actor is not only creating new business profiles, but hijacking real, reputable profiles with millions of followers,” explained Tal.
It also repeatedly posted malicious clickbait on its Facebook feed, promising free downloads of adult photo albums.
“If a victim clicks on these posts or links, a malicious ZIP file will be downloaded to their computer,” the advisory states. “Inside it is a picture file (actually a disguised executable) that, when clicked, initiates the infection process.”
The executable then opens a browser window pop-up containing a decoy website displaying relevant content.
“While in the background, the stealer silently deploys, executes, gains persistence, and periodically steals session cookies, accounts, crypto wallets, etc.”
Tal revealed that the team observed several variations of the latest payload, all sharing a benign executable to initiate the infection flow.
“Malicious payloads are highly sophisticated, constantly changing and introducing new evasion techniques,” wrote security experts.
“As we have seen, it takes time for security vendors to take fingerprints and make the right decisions to block, especially when done out of context.”
Guardio Labs’ advisory comes weeks after Group-IB security experts uncovered a phishing scheme that relied on over 3000 fake profiles targeting Facebook users.
Editorial image credit: BigTunaOnline / Shutterstock.com
