<— Back

Unmasking AI-Themed Malvertising Targeting Social Media Users

Social media platforms provide cybercriminals with significant opportunities to launch malicious attacks against unsuspecting users. One prevalent infection vector is malvertising, where threat actors craft compelling posts tied to trending topics, such as generative AI or major global events, and exploit ad networks to maximize their reach. These deceptive posts often include links to fraudulent domains impersonating legitimate AI tools, enticing users to download and install malicious payloads. These payloads typically contain info-stealers capable of exfiltrating sensitive personal data, such as login credentials or financial details, which can be used to gain unauthorized access or hijack victims’ social media accounts.

In this presentation, we examine the current landscape of malvertising on social media platforms and analyze the most common techniques employed by cybercriminals to deceive users. We will focus on a prolific AI-themed malvertising campaign, dissecting its entire infection chain from initial engagement to payload delivery. Examples of fake and hijacked Facebook pages, boosted malicious posts, and distributed malicious packages will be presented. We will demonstrate our approach to analyzing these often multi-layered, obfuscated packages and extracting critical artifacts, such as campaign IDs and command-and-control (C&C) servers, from the samples. 

Additionally, we will analyze several notable malware families observed in the wild, including:

1. Remote Access Trojans (RATs) like XWorm, PureHVNC with advanced data-stealing capabilities
2. Information stealers, such as Noodlophile, written in .NET or Python

Finally, we will share our threat-hunting techniques and discuss the primary targets of these campaigns, providing insights into mitigating such threats.