How a Chinese malware gang defrauded Facebook users of $4 million

At the Virus Bulletin 2020 security conference today, members of the Facebook security team have disclosed more details about one of the most sophisticated malware operations that has ever targeted Facebook users.

Known internally at Facebook as SilentFade, this malware gang was active between late 2018 and February 2019, when Facebook’s security team detected their presence and intervened to stop their attacks.

SilentFade utilized a combination of a Windows trojan, browser injections, clever scripting, and a bug in the Facebook platform, showing a sophisticated modus operandi rarely seen with malware gangs targeting Facebook’s platform.

The purpose of SilentFade’s operations was to infect users with the trojan, hijack the users’ browsers, and steal passwords and browser cookies so they could access Facebook accounts.

Once they had access, the group searched for accounts that had any type of payment method attached to their profile. For these accounts, SilentFade bought Facebook ads with the victim’s funds.

Despite operating only for a few months, Facebook said the group managed to defraud infected users of more than $4 million, which they used to post malicious Facebook ads across the social network.

The ads, which usually appeared in the geographical location of the infected user, to limit their exposure, used a similar template.

They used URL shorteners and images of celebrities to lure users on sites selling shady products, such as weight loss products, keto pills, and more.

Facebook discovered SilentFade’s operations in February 2019, following reports from users of suspicious activities and illegal transactions originating from their accounts.

During the subsequent investigation, Facebook said it found the group’s malware, previous malware strains, and campaigns dating back to 2016, and even tracked down the gang’s operations to a Chinese company and two developers, which the company sued in December 2019.

SilentFade’s beginnings

According to Facebook, the SilentFade gang began operating in 2016, when it first developed a malware strain named SuperCPA, primarily focused on Chinese users.

“Not a lot is known about this malware as it isprimarily driven by downloaded configuration files, but we believe it was used for click fraud – thus CPA in this case refers to Cost Per Action – through a victim install-base in China,” Facebook’s Sanchit Karve and Jennifer Urgilez wrote in their SilentFade report.

But Facebook says the group abandoned the SuperCPA malware in 2017 when they developed the first iteration of the SilentFade malware. This early version infected browsers to steal credentials for Facebook and Twitter accounts, with a focus on verified and high-follower profiles.

But development on SilentFade picked up in 2018 when its most dangerous version and the one used in the 2018 and 2019 attacks came to be.

How SilentFade spread online

Karve and Urgilez say the gang spread the modern version of SilentFade by bundling it with legitimate software they offered for download online. Facebook said it found ads by the two SilentFade developers posted on hacking forums where they were willing to buy web traffic from hacked sites or other sources, and have this traffic redirected towards the pages hosting the SilentFade-infected software bundles.

Once users got infected, SilentFade’s trojan would take control over a victim’s Windows computer, but rather than abuse the system for more intrusive operations, it only replaced legitimate DLL files inside browser installations with malicious versions of the same DLL that allowed the SilentFade gang to control the browser.

Targeted browsers included Chrome, Firefox, Internet Explorer, Opera, Edge, Orbitum, Amigo, Touch, Kometa, and the Yandex Browser.

The malicious DLLs stole credentials stored in the browser, but, more importantly, browser session cookies.

SilentFade then used the Facebook session cookie to gain access to the victim’s Facebook account without needing to provide neither credentials nor a 2FA token, passing as a legitimate and already-authenticated account holder.

The Facebook platform bug

Here is where SilentFade showed its true sophistication.

Facebook said the malware used clever scripting to disable many of the social network’s security features, and even discovered and used a bug  in its platform to prevent users from re-enabling the disabled features.

Karve and Urgilez said that in order to prevent users from finding out that someone might have accessed their account or was posting ads on their behalf, the SilentFade gang used its control over the browser to access the user’s Facebook settings section and disable:

• Site notifications
• Chat notification sounds
• SMS notifications
• Email notifications of any kind
• Page-related notifications.

But SilentFade didn’t stop here. Knowing that Facebook’s security systems might detect suspicious activity and logins and notify the user via a private message, the SilentFade gang also blocked the Facebook for Business and Facebook Login Alerts accounts that sent these private messages in the first place.

The SilentFade group then searched for a bug in the Facebook platform and abused it every time the user tried to unblock the accounts, triggering an error and preventing the users from remove the two account bans.

“This was the first time we observed malware actively changing notification settings, blocking pages, and exploiting a bug in the blocking subsystem to maintain persistence in a compromised account,” Facebook said.

“The exploitation of this notification-related bug, however, became a silver lining that helped us to detect compromised accounts, measure the scale of SilentFade infections, and map abuse originating from user accounts to the malware responsible for the initial account compromise.”

Facebook refunded all users

Facebook said it patched the platform bug, reverted the malware’s notification-blocking actions, and refunded all users whose accounts were abused to buy malicious Facebook ads.

The company also didn’t stop here, and throughout 2019 tracked down the malware and its creators all across the web. Clues were found in a GitHub account that apparently was hosting many of the libraries used to build the SilentFade malware.

Facebook tracked down this account and the SilentFade malware to ILikeAd Media International Company Ltd., a Hong Kong-based software company founded in 2016, and Chen Xiao Cong and Huang Tao, the two men behind it. Facebook sued the company and the two devs in December 2019 in a legal case that is still ongoing.

Facebook also said SilentFade was part of a larger trend and a new generation of cybercrime actors that appear to reside in China and have persistently targeted its platform and its juicy 2-billion userbase.

This also includes the likes of Scranos, FacebookRobot, and StressPaint.