Skip to main content

Malicious Facebook Ads

Malvertisements are one of many infection vectors that threat actors use. It gives them an advantage to pique the interest of unsuspecting users to fall victim to their attacks. With many reports and research making the rounds for the past month, we encountered one shared by a user.

This specific case poses as an advertisement for GoggleAI exclusive to EU countries, baiting users to clicking and installing it by including a free installation code in the ad. Investigating the link further, it will serve a RAR file named AIgoogle Assistant Setup.rar when clicked. The password for the archive file is “free”. An MSI file is extracted named Setup.msi.

Figure 1.0 Malicious Facebook Ad

Analysis from Varist’s Hybrid Analyzer reports malicious indicators, which we can use as reference while digging through the installed components.

Figure 2.0 Varist Hybrid Analyzer Report for Setup.MSI

Executing Setup.msi drops multiple files, which include components used to install a fake Google Translate Chrome extension.

Figure 3.0 Fake Google Translate Chrome Extension Information

One of the Chrome extension component is a JavaScript containing most of the malicious code, verified as a Facebook profile grabber similar to the one reported by Trend Micro, which Varist detects as JS/ExtenBro.B!Eldorado.

Code Snippet 1.1 Fake Google Chrome Extension JavaScript component

Looking through the code, we find the following string variables, which were also present in a recently leaked package of a LnkBotBuilder. These strings appear to be part of a campaign ID linking to Operation Ducktail, which lead us to investigate further.

Code Snippet 1.2 Campaign ID strings linking to Operation Ducktail

Big Brands, Big Opportunities

Operation Ducktail is cybercrime campaign that targets individuals and businesses in digital marketing and advertising sectors active on Meta’s Facebook Ads and Business platform as reported by WithSecure, The threat actors, which were attributed as Vietnamese in descent, pose as big brands luring their targets with potential brand collaboration, which would be a big break for businesses and rising social media influencers. Unfortunately, Operation Ducktail only brings despair to these businesses and individuals as their end goal is to steal information and eventually the businesses themselves.

Researching for more information on this operation, we found a related campaign using the Calvin Klein brand to lure victims by sending a file named CALVIN KLEIN NEW, which contains an LNK file that executes an encoded PowerShell script as shown in the code snippet below.

Code Snippet 2.0 Malicious LNK Command Line Argument

This PowerShell script decodes to another shell script, which is split into two (2) parts stored in variables $cjsftwh and $jwyihaoqk as highlighted in the code snippet shown below.

Code Snippet 3.0 Decoded PowerShell script from malicious LNK

The 7dc.ps1 file is also obfuscated using Base64 so we will just use the deobfuscated source for readability. Once the code is deobfuscated, it’s pretty straight forward.

Code Snippet 5.0 Deobfuscated remote PowerShell script payload.

The script will try to perform some Windows Defender Bypass and disable event tracing for windows.

Code Snippet 6.0 Windows Defender bypass and disabling of event tracing.

It will try to download a decoy document named “CALVIN_KLEIN__CONTACT_PARTNERSHIP_FORM.docx” to make it seems legitimate. But they just want more information to steal from the victim.

Code Snippet 7.0 Download and opening of decoy document
Figure 3.0 Screenshot of the downloaded decoy document.

In preparation for downloading its payload, it will try to add C:\Windows\Temp to the exclusion list of Windows Defender. It will disable scheduled and real-time scanning for the files in the folder.

Code Snippet 8.0 Excluding temporary directory from real-time scanning.

It will try to download 2 payloads. If one of them succeeds, it will try to install as a scheduled task as its persistence mechanism before executing it.

  1. hxxps://wordpress[.]ductai[.]xyz/bdata/data
    • File name: C:\Windows\Temp\svczHost.exe
    • Task name: zServicequyet2
  2. hxxps://wordpress[.]ductai[.]xyz/bdata/fbmain
    • File name: C:\Windows\Temp\svczxHost.exe
    • Task name: zServicequyet2x
Code Snippet 9.0 Downloading of payloads and adding scheduled task for persistence.

The executable payload tries to connect to the following URLs in attempt to download another payload. Unfortunately, as of this writing the file is no longer available.

  • hxxp://
  • hxxps://

Best Practices and Recommendations

These attacks prove that threat actors will make the most out of the opportunity presented to them if the proper solution is not yet set in place. Facebook is also monitoring such threats in their platform. With the help of the security researchers, they are devising solutions to thwart these attacks.

Varist highly recommends keeping your antivirus definitions up to date and exercising caution when opening attachments, even if they are from someone you trust, doing so will help protect you from social engineering attacks delivering malware. 

Indicators of Compromise

Filename or URL SHA256 Description Varist Detection
Setup.msi 4b35ad1a756f2131e7a6b0401afde1358809173617cbabc680dec783026b52dd Fake Google AI Installer JS/ExenBro.B!Eldorado
CALVIN KLEIN NEW 5c34196fd3efbdc075952a18a172ce84db12a58ac67fd06a773cc958a0f646de Bait proposal package  
CALVIN KLEIN- CONTACT PARTNERSHIP FORM.docx.lnk 175806c13043b6316ad0c3719c0ce283b28d9fb97d2750c0937c3749a1b435e5 Malicious Downloader LNK LNK/Agent.HD
hxxps://wordpress[.]ductai[.]xyz/file/ps/7dc.ps1 28656133b2edb297774d4f5ff683382277cb7eac5e494b1d4afb650f946d924f Malicious Powershell Script  
CALVIN-KLEIN_DAILY FASHION, TIME STYLE.mp4.lnk ef398b8af6b1dc76d1d6ee259d4c818cbe2a8e7ff8c53b769ad3f2338c18903c Malicious Downloader LNK LNK/Agent.HD
hxxps://wordpress[.]ductai[.]xyz/file/ps/g22qn.ps1 e8b693c135b059617a6b1ff43d36c68ba77c243a37ebb925615c084dcf7f5c17 Malicious Powershell Script  
CALVIN KLEIN- COST BUDGET.docx.lnk 23c5ccbf94dde718c837de8bcec2076d8e1805d165ff7bf604c22ed0449e2659 Malicious Downloader LNK LNK/Agent.HD
hxxps://wordpress[.]ductai[.]xyz/file/ps/gmv9.ps1 c3087a79fa309fca7f6d0b2da64f77f97a64468db1f3a1956b3f299da6a05b6e Malicious Powershell Script  
hxxps://wordpress[.]ductai[.]xyz/bdata/fbmain 0fc30ab0bb340134cb9ab1070ba75d08ea75b4199c6c5185256ffb86bed2329d Malicious Windows PE (64-bit) Payload W64/Kryptik.KRN.gen!Eldorado
hxxps://wordpress[.]ductai[.]xyz/bdata/data 6fa92749a9798450d7f7a7cd8cf7b5132ac9b90f0e0095185d8884393af45cc6 Malicious Windows PE (64-bit) Payload W64/Kryptik.KRN.gen!Eldorado
hxxp://   Payload URL  
hxxps://   Payload URL