Blog

Target: IT Professionals

Tags: Malware, Phishing, Zero-Trust, Isolation

Cybercriminals have tapped into a vast network of fabricated and breached Facebook profiles, unleashing millions of deceptive Messenger messages aimed at Facebook business accounts, embedding password-theft malware [1].

The malefactors craftily deceive the recipients into downloading an archive (either in RAR or ZIP format), which includes a downloader for a cunning Python-based program designed to
extract stored cookies and passwords from the user’s browser.

The initial approach these criminals take is to send deceptive Messenger messages to business accounts on Facebook. These messages masquerade as copyright infringement notifications
or product information inquiries. An attached archive, when executed, retrieves a malware installer from GitHub repositories, cleverly bypassing detection mechanisms and leaving minimal footprints.

This attached archive not only delivers the payload (termed project.py) but also procures a standalone Python environment essential for the malware’s information theft activities.
For sustained malicious activity, it ensures the malware launches during system startup.

With a sophisticated design, the project.py file is layered with five stages of obfuscation, making it especially tricky for anti-virus systems to identify and neutralize the threat.

Guardio Labs has shed light on the staggering magnitude of this campaign, noting its vast reach. Their analysis reveals that 7% of all business accounts on Facebook have been in the
crosshairs, with about 0.4% succumbing to the temptation and downloading the malevolent archive.

However, it is important to note that for the malware to spring into action, users must execute the batch file. The exact count of compromised accounts remains a mystery, but given
the scale, it is conceivable the numbers are substantial.

What can we do?

The answer is rooted not in detecting the new attack variation but in its prevention. This is why we created BUFFERZONE® Safe Workspace™.

BUFFERZONE Safe Workspace™ is a comprehensive defense suite anchored in application isolation technology. This arsenal features the Safe Browser, SafeBridge® (boasting Content Disarm and Reconstruction functions), Safe Mail, and Safe Removable (geared towards thwarting USB-based attacks), all fortified with clipboard security. At its core, the Safe Workspace™ deploys a virtual container constructed by a kernel driver. This container bifurcates the operating system into dual logical realms:

Trusted Zone: A non-isolated region connected to the organization’s resources.

Untrusted Zone: Serving as a protective buffer, this zone enables various applications to operate in isolation, cordoned off from the memory, files, registry, and processes of the trusted zone.

Safe Workspace™ is a reliable solution that allows users to access USB (Universal Serial Bus) files, email attachments, and downloaded content. It provides a protective virtual container that isolates potential threats from the broader environment, ensuring that malware cannot reach or compromise sensitive organizational data. The virtual container is periodically deleted and rebuilt; detection engines can scrutinize it for added security. By containing potential threats in isolation, BUFFERZONE prevents malicious entities from proliferating within an organization.

By isolating the browser, all downloaded files are contained, the extracted files are not authorized to run, and the evasive attack will fail. BUFFERZONE® let third party detection scan the virtual isolated container. If part of the attack is detected the file can be quarantined and the environment can be cleaned in a few seconds.

References 

[1] Bill Toulas, Facebook Messenger phishing wave targets 100K business accounts per week  

https://www.bleepingcomputer.com/news/security/facebook-messenger-phishing-wave-targets-100k-business-accounts-per-week/