Hacked Facebook accounts belonging to a Brazilian ISP, Mexican sporting goods store, mountain tourism site from Slovakia, and a computer repair shop in the Philippines are spreading posts linking to malware to users around the world.
Avast researchers have discovered hacked Facebook business pages spreading a password stealer called Redline Stealer, which is capable of stealing passwords and downloading further malware. The malware is available for purchase on the dark web for about $100 to $150, making it difficult to pinpoint a particular group or person hacking these accounts.
We spotted a sponsored post on a Facebook feed a few weeks ago that was promoting a free Adobe Acrobat Reader. We were immediately suspicious, as the link shown in the post preview was “Mediafire.com”, not “Adobe.com”. Furthermore, the post came from a company called Viu Internet.
Viu Internet is an internet service provider from Brazil. More than 15,000 people follow their Facebook page. Since August, posts promoting free downloads of wallpaper applications, the video game Grand Theft Auto, Adobe Acrobat Reader, and Stray, also a video game, appeared on the business's Facebook page, in English. It’s obvious that the page is hacked. The style of the posts and the content the page is promoting are very different from the posts uploaded before August.
We aren’t sure if the hackers are using the business’ payment options to pay for the sponsored posts, or if they are covering the costs themselves and just leveraging the page’s community to ensure their posts reach actual people.
The links in the post lead to a file on a storage and sharing site. To get infected, users have to download the file, extract the contents, and run the file.
Viu Internet is warning people visiting their homepage that their Facebook page has been hacked. It looks like they are unable to retrieve access to their account.
In addition to Viu Internet’s Facebook page, we are aware of a few more hacked Facebook pages posting the same content. These include a Mexican sporting goods store called Max Deportes (114,000+ Facebook followers), a Slovakian mountain tourism site named Mladi, gremo v hribe (2,000+ Facebook followers), and a computer repair shop, Computer Repair Davao in the Philippines (700+ Facebook followers).
We reported these posts and ads to Facebook using the on-site reporting function, but no action was taken, yet. Avast Antivirus blocks the malware distributed by these posts.
The Avast Threat Labs Q4 2022 Threat Report observed a rise in social engineering attacks during the final quarter of 2022, including invoice fraud, tech support scams, and others aimed at stealing money.
The DDosia project is a successor of the Bobik botnet linked to the pro-Russian hacker group called NoName(057)16, as revealed in a recent analysis by Avast researcher Martin Chlumecky.