In the past few years, several disturbing reports appeared regarding information theft, suspicious surveillance incidents, data breach and hacking that includes the most controversial case of Facebook–Cambridge Analytica data scandal. Now researchers detected an information-stealing malware that is disguised as a PDF reader to steal Facebook and Amazon session cookies as well as sensitive data from the Facebook Ads Manager.
Security experts found numerous sites distributing a fake PDF editing program called 'PDFreader' and the executables distributed from the site are signed by a digital certificate issued by Sectigo to "Rakete Content Gmbh".
Later, researchers detected the Trojan as Socelars that is similar to other malware Stresspaint and AdKoob which featured code that tried to sneak into your Facebook account to peek at how people are spending their online ad money. It should be noted that stolen information can be used or sold for further attacks. Stolen credentials could also be used to buy ads, to read a user's Facebook contacts, or to mess up with the platform.
BleepingCOmputer.com analyst Vitali Kremez, who analyzed this Trojan, said that there is not much code similarity between this Trojan and the others. In addition, he said that "it must be a newer (maybe inspired) variant or significantly improved one over the previous generation. I assess this might be only the beginning of the evolution of this type of malware targeting ad and social media providers."
The target of Trojan
As per the researcher, Kremez said that in the first attempt this Trojan will steal Facebook sessions cookies from Chrome and Firefox by accessing the Cookies SQLite database. After stealing the cookie, it will be used to connect a variety of Facebook URLs from where information is extracted. Then the account_billing URL will be used to gain access to the user's account_id and access_token, which will be used in a Facebook Graph API call to steal data from the user's Ads Manager settings.
The stolen data, which includes cookies, access tokens, account ids, advertising email address, associated pages, credit card info (number, expiration date), PayPal email, ad balances, spending limits, will be sent to the hacker's Command & Control server.