X-Industry

Fake Bitwarden

Posted by CyberDog on November 21, 2024 at 8:00am

13168325876?profile=RESIZE_400xThroughout 2024, Bitdefender Labs has been closely monitoring a series of malvertising campaigns that exploit popular platforms to spread malware. These campaigns use fake advertisements to lure users into installing malicious software disguised as legitimate apps or updates. One of the more recent campaigns Bitdefender Labs uncovered involves a fake Bitwarden extension advertised on Meta’s social media platform, Facebook. The campaign tricks users into installing a harmful browser extension under the guise of a security update.

Key findings include:
• Platform Exploitation: Attackers are leveraging Facebook’s advertising platform to deliver ads that look legitimate but lead to a malicious website.
• Impersonation of Reputable Brands: The campaign impersonates Bitwarden, a popular password manager, to build trust and create a sense of urgency by prompting users to install a supposed "security update."
• Specific Target Demographics: Launched on 3 November 2024, this campaign targets consumers aged 18 to 65 across Europe.
• Current Reach and Global Expansion Potential: The malicious ads have already been served to thousands of users and could expand further. If left unchecked, this campaign could scale globally, affecting users worldwide.
• Use of Redirect Chains: Users who click on these ads are redirected through multiple sites, ultimately landing on a phishing page that mimics the official Chrome Web Store to obscure the ad’s malicious intent.
• Data Collection on Business and Personal Accounts: The malware gathers personal data and targets Facebook business accounts, potentially leading to financial losses for individuals and businesses.

Once again, this campaign highlights how threat actors exploit trusted platforms like Facebook to lure users into compromising their security. By masquerading as a reputable tool and imitating urgent update notifications, cybercriminals gain access to valuable personal and business information.
Many thanks to Bitdefender Labs’ research, for we now have a more precise understanding of the evolving tactics used in this type of attack:

1. Step One: Fake ADs to Lure Users In - The attack begins with a deceptive Facebook ad that warns users that their passwords are at risk and urges them to update their Bitwarden browser extension. The AD looks legitimate, using Bitwarden branding and urgent language, such as "Warning: Your Passwords Are at Risk!" to push users into action.

13168332268?profile=RESIZE_400x13168333874?profile=RESIZE_400x13168335061?profile=RESIZE_584xClicking on the AD takes users to a fake webpage that mimics the official Chrome Web Store. Users who click "Add to Chrome" are redirected to a Google Drive link containing a zip file with the malicious extension. Attackers guide users through a process to install the extension by:
• Unzipping the file
• Going to their browser’s extension settings via chrome://extensions
• Enabling Developer Mode
• Manually loading the unpacked extension (sideloading). This method manipulates users into bypassing browser security checks, allowing the malware to install without detection.

2. Malicious Extension Details: Full Access and Suspicious Permissions - Once installed, the malicious extension requests extensive permissions that allow it to intercept and manipulate the user’s online activities. A closer look at the extension’s manifest file reveals permissions to operate on all websites, modify network requests, and access storage and cookies. Key aspects of the manifest include:
{
"name": "Bitwarden Password Manager",
"version": "0.0.1",
"manifest_version": 3,
"background": {
"service_worker": "service-worker-loader.js",
"type": "module"
},
"permissions": [
"contextMenus",
"storage",
"cookies",
"tabs",
"declarativeNetRequest",
"webNavigation",
"webRequest",
"management"
]
}
The extension’s service-workerlooader.js script initiates background.js, the primary component driving the malicious operations. Additionally,pop-up.js—an obfuscated script—loads when users click the extension icon in their browser, enabling it to:
• access cookies from https://facebook.com, specifically seeking the c_user cookie containing the Facebook user ID.
• manipulate the page’s DOM elements to display fake loading messages, creating an illusion of legitimate actions.

3. Background Worker: Collecting and Exfiltrating Data - The background.js script, which activates upon installation, is the core of this attack.
chrome.runtime.uninstalled.addListener(async details => {
getFacebookCookies();
});
Here’s how it operates: Cookie Harvesting: Background.js calls getFacebookCookies() to check for Facebook cookies upon installation. If found, it gathers further data using the collectData() function.
IP and Geolocation Data Collection: The extension queries IP and location data via https://api.ipify.org and https://freeipapi.com.
Facebook Data Extraction: Through Facebook’s Graph API, the malware retrieves user data, including:
• Personal details like user ID and name
• Business accounts and ad account information
• Credit card and billing details associated with AD accounts
Once collected, the data is sent to a Google Script URL, which acts as the attackers' command-and-control (C2) server. The sendData() function handles data exfiltration by encoding and transmitting sensitive information.

4. Detection and Defense Strategies: Detecting and mitigating this attack is challenging for cybersecurity teams due to their reliance on legitimate platforms like Facebook and Google Drive. Here are some detection ideas for security professionals:
• Monitor Suspicious Permissions: declarativeNetRequest and webRequest permissions, paired with access to cookies, are strong indicators of potential malware.
• Behavioral Signatures: Obfuscated functions like chrome.runtime.onInstalled.addListener and calls to graph.facebook.com APIs can indicate compromise (IoCs).

Recommendations - To protect yourself from similar malvertising campaigns, follow these essential security tips:
• Verify Extension Updates: Always update extensions directly through official browser stores (e.g., Chrome Web Store) rather than by clicking on ads or third-party links.
• Scrutinize ADs and Links: Be cautious of sponsored ads on social media, especially those calling for immediate action or updates for security tools.
• Check Extension Permissions: Review its permissions before installing or updating an extension. Extensions requesting access to cookies, network requests, or all website data may be malicious.
• Enable Security Features: Use browser security settings, such as disabling Developer Mode when not in use, to prevent unauthorized sideloading of extensions.
• Report Suspicious Ads: If you encounter misleading or malicious ads on social media, report them to the platform to help prevent the spread of similar attacks.

5. Use a Security Solution: Protect yourself from malware and phishing attacks by using a reliable security solution. A comprehensive security solution detects and blocks malicious links, phishing attempts, and unauthorized browser extensions, adding an extra layer of protection.
Additionally, with the launch of our new Scam CoPilot, you can get comprehensive scam protection across all your devices with access to your personal scam adviser chatbot, scam wave alerts in your area, real-time detection of scams in your browsing activities, and remote access scam protection, among other things. The Scam Copilot features, paired with our award-winning anti-malware protection, can be found in our all-one security solutions.

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424

Views: 334
Tags: ir-24-324-001, fake advertisements, facebook, malvertising, phishing
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!