Hackers pushing pretend Bitwarden updates hit hundreds of gadgets with information stealing malware

Faux facebooks advertisements are posing as Bitwarden safety updates
The updates truly set up a malicious browser extension
The extensions steals private and monetary information from Facebook

Bitdefender has warned hackers are utilizing the Fb promoting platform to trick Bitwarden customers into putting in a pretend safety replace that steals private information and bank card data from companies and people alike.

The advert lures a consumer by a string of redirected URLs earlier than touchdown them at a phishing web page designed to imitate the official Chrome Internet Retailer.

As soon as downloaded, the malware leeches information from Fb’s Graph API which is then despatched to the attacker through a Google Script URL that acts as a command and management (C2) server.

Faux fb advertisements spreading malware

The pretend adverts create a way of urgency for customers, displaying messages resembling “Warning: Your Passwords Are at Threat!” and utilizing Bitwarden branding to look as a professional advert.

As soon as lured to the pretend Chrome Internet Retailer, customers then obtain a zipper file that’s manually loaded as a Chrome browser extension utilizing Developer mode, avoiding the same old security checks that may happen when including a browser extension.

The extension then asks for permission to function on all web sites, modify community requests, and entry storage and cookies permitting it to gather and exfiltrate the information your browser has entry to. As soon as the extension is opened, the malware seems for the ‘c_user’ cookie on Fb, which comprises the Fb consumer ID.

The malware additionally makes use of a background.js script to reap information from Fb cookies, together with data on location and IP deal with, and makes use of the Fb Graph API to extract the entire stolen information to the hackers C2 server.

Bitdefender recommends that customers and safety groups preserve a watch out for extensions that request extreme permissions, in addition to these with obfuscated capabilities resembling ‘chrome.runtime.onInstalled.addListener’ and signatures that request to graph.fb.com APIs.

Customers also needs to double examine the authenticity of an replace with the producer, pay shut consideration to updates pushed by adverts and social media, and use one of many best antivirus providers obtainable as an extra line of protection.

Whereas this marketing campaign has since been taken down, the assault exhibits the potential for malicious actors to make use of Fb promoting and social media to push additional malware on a world scale.