HomesecuritySILENTFADE: The long-running malware campaign that targets Facebook Ads

SILENTFADE: The long-running malware campaign that targets Facebook Ads

Facebook has released details of a long-running ad fraud campaign that has been going on since 2016 and targets Facebook Ads users with SilentFade (short for "Silently Executing Facebook Ads with Exploitation") malware. The hackers behind this campaign are aiming to steal Facebook credentials and browser cookies.

According to the technology giant, malware is associated with China, while allowing hackers to steal $ 4 million from users' ad accounts. The hackers first hacked into Facebook accounts of users and then used them to steal browser cookies and carry out malicious activities, including the promotion of malicious ads. Facebook spotted the malware campaign in December 2018, when it noticed an increase in suspicious traffic to many Facebook endpoints.

SilentFade-malware Facebook campaign

Facebook researchers Sanchit Karve and Jennifer Urgilez reported this week at its security conference Virus Bulletin 2020 that they have discovered interesting techniques used to infringe on user accounts, with the aim of committing ad fraud. The attackers carried out mainly malicious advertisements campaigns, often in the form of drug pill ads and spam with fake celebrities.

Facebook confirmed that the original attacker was not its platform, as SilentFade did not spread through Facebook or its products. The experts noticed that it was usually associated with potentially unwanted programs (PUP).

SilentFade-malware Facebook campaign

By installing it, SilentFade allows intruders to steal only stored Facebook credentials and cookies from popular browsers, such as Internet Explorer the Chromium and Firefox. However, SilentFade's credential theft element only stole Facebook stored credentials and cookies found on the compromised computer. The experts also pointed out that cookies are more valuable than passwords, because they contain session tokens, which are post-authentication tokens. This use of infringed credentials runs the risk of being dealt with by two-factor authentication (2FA) accounts, which SilentFade cannot circumvent.

The experts explained that all Chromium and Firefox-based browsers store credentials and cookies in SQLite databases. A malware running on an infected endpoint could have access in the cookie store, if it knows its location in the various browsers. Malware consists of three to four components, the main component of which is included in PUP packages.

The downloader application either downloads a standalone malware component or a service Windows installed as "AdService" or "HNService". The service is responsible for insisting on reboots and removing the 32-bit and 64-bit DLLs in the Chrome application directory. DLL proxies make requests to real winhttp.dll, but make requests to through the Chrome process, avoiding dynamic anti-malware detection imitating "innocent" network requests.

When stealing Facebook-related credentials, SilentFade obtains the metadata of a Facebook account (payment information and total amount previously spent on Facebook ads) using the Facebook Graph API.
Malware sends them data to servers C2 in the form of a JSON encryption block via custom HTTP headers.

SilentFade-malware Facebook campaign

SilentFade applies many avoidance techniques, can detect virtual machines and turn off Facebook security alerts from compromised accounts.

The C2 server stored the data received from the infected target and recorded the IP address of the incoming request for the purposes of the geographical location. The geographical location is important for the "fraudulent" plan used by the fraudsters, because the attackers deliberately used the stolen credentials near the area of ​​the infected device.

In addition, according to Security Affairs, Facebook accounts with related credit cards were used to promote malicious ads on Facebook. Facebook experts pointed out that financial data such as bank account numbers and credit cards were never exposed to intruders because Facebook does not make them visible through the desktop website or the Graph API.

Experts have also uncovered other malware campaigns linked to China, some of which are still ongoing. Hackers used a lot of malicious code with the names StressPaint, FacebookRobot and Scranos.


Facebook said it expects more malware campaigns, especially for platforms that serve a large audience. Therefore, only through user training and strong partnerships across the security industry can any malware campaign be mitigated and dealt with effectively.

Every accomplishment starts with the decision to try.