# Facebook Ads Manager Targeted by New Info-Stealing Trojan **[bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/](https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) December 2, 2019 05:24 PM 4 Attackers are distributing an information-stealing Trojan disguised as a PDF reader that steals Facebook and Amazon session cookies as well as sensitive data from the Facebook Ads Manager. Over the weekend, [MalwareHunterTeam found numerous sites distributing a fake PDF](https://twitter.com/malwrhunterteam/status/1201552349715673088) editing program called 'PDFreader'. ----- **Site promoting PDFreader** The executables distributed from this site are signed by a digital certificate issued by Sectigo to "Rakete Content Gmbh". ----- **Digital signature** [VirusTotal detects this Trojan as Socelars, but it also shares characteristics with other](https://www.virustotal.com/gui/file/306c26c0e659cdf3b696f3e0fd543846b8b324b51c60887dee1d3169be282df5/detection) [Trojans, such as AdKoob and](https://news.sophos.com/en-us/2018/07/29/adkoob-information-thief-targets-facebook-ad-purchase-info/) [Stresspaint, that also attempt to extract and steal Facebook](https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/) data from various URLs. According to [Vitali Kremez, who analyzed this Trojan, there is not much code similarity](https://twitter.com/VK_Intel) between this Trojan and the others, so it may be inspired rather than evolved from previous infections. "That tells it must be a newer (maybe inspired) variant or significantly improved one over the previous generation. I assess this might be only the beginning of the evolution of this type of malware targeting ad and social media providers," Kremez told BleepingCOmputer.com ## Targets Facebook Ads Manager When launched, Kremez told BleepingComputer that the Trojan will first attempt to steal Facebook sessions cookies from Chrome and Firefox by accessing the Cookies SQLite database. Once the cookie is retrieved, it will be used to connect a variety of Facebook URLs where information is extracted. ----- ``` https://www.facebook.com/bookmarks/pages?ref_type logout_gear https://secure.facebook.com/settings https://secure.facebook.com/ads/manager/account_settings/account_billing/ ``` The account_billing URL will be used to extract the user's account_id and access_token, which will then be used in a Facebook Graph API call to steal data from the user's Ads Manager settings. **Facebook Graph API call** The graph API call used is below: ``` https://graph.facebook.com/v4.0/act_{account_id}? _reqName=adaccount&_reqSrc=AdsPaymentMethodsDataLoader&fields=%5B%22all_payment_metho ``` The stolen data, which consists of session cookies, access tokens, account ids, advertising email address, associated pages, credit card info (number, expiration date), PayPal email, ad balances, spending limits, etc, is then compiled and sent to the attacker's Command & Control server. With the USA election season looming and state-sponsored actors abusing Facebook ads in the past, it is important for anyone running political campaigns to know that malware is targeting Facebook's ad infrastructure. "Also, I think in light of the upcoming elections and intensified FB campaigns running political messages, this tool is almost like an espionage malware looking for possible political narratives (and grabbing account information)," Kremez told BleepingComputer.com. ----- To make matters worse, with the information stolen by the attackers, they could potentially use these stolen Facebook cookies to access accounts and use them to create their own ad campaigns. ## Steals Amazon session cookies While the main focus of this Trojan is to steal data from Facebook, the malware will also attempt to steal session cookies for Amazon.com and Amazon.co.uk. **Stealing Amazon session cookie** Unlike the Facebook routine, this cookie will simply be sent back to the attacker and will not be used by the Trojan to extract any other information. Once again, if the attacker gains access to a user's Amazon session cookie they will be able to log in as that user. ## Distributed via adware bundles As the sites promoting the 'PDFreader' program do not have active links that allow a user to download the program, BleepingComputer investigated how this malware may be distributed. After following trail of other malware that communicated with one of the PDFreader domains, we found that many of the requests to the PDFreader domains came from adware bundles installing unwanted programs such as YeaDesktop or pretending to be copyrighted software. As this Trojan is silently executed and performs all its tasks in the background, users will not be aware that anything was installed and will just see whatever adware or copyrighted software was downloaded. ----- ### Related Articles: [Pixiv, DeviantArt artists hit by NFT job offers pushing malware](https://www.bleepingcomputer.com/news/security/pixiv-deviantart-artists-hit-by-nft-job-offers-pushing-malware/) [New powerful Prynt Stealer malware sells for just $100 per month](https://www.bleepingcomputer.com/news/security/new-powerful-prynt-stealer-malware-sells-for-just-100-per-month/) [New Meta information stealer distributed in malspam campaign](https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/) [New BlackGuard password-stealing malware sold on hacker forums](https://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/) [Fake Binance NFT Mystery Box bots steal victim's crypto wallets](https://www.bleepingcomputer.com/news/security/fake-binance-nft-mystery-box-bots-steal-victims-crypto-wallets/) [Adware](https://www.bleepingcomputer.com/tag/adware/) [Amazon](https://www.bleepingcomputer.com/tag/amazon/) [Facebook](https://www.bleepingcomputer.com/tag/facebook/) [Info Stealer](https://www.bleepingcomputer.com/tag/info-stealer/) [Password Stealing Trojan](https://www.bleepingcomputer.com/tag/password-stealing-trojan/) [Trojan](https://www.bleepingcomputer.com/tag/trojan/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/microsoft-warns-of-spear-phishing-attacks-shares-tips-to-dodge-them/) [Next Article](https://www.bleepingcomputer.com/news/security/smith-and-wesson-web-site-hacked-to-steal-customer-payment-info/) ### Comments [buddy215 - 2 years ago](https://www.bleepingcomputer.com/forums/u/64042/buddy215/) Likely Russia....since Mueller outed it spreading propaganda...is behind this. Facebook users will once again be bombarded with pro-Trump Russian propaganda. Facebook has refused to ban political ads like Twitter has done. That's assuming the Senate will not vote to impeach Trump out of fear of losing their jobs. Trump is going all out in rallies across the country with his lies about Ukraine...not Russia...interfering in the last election. Voters should think about why Russia wanted Trump elected. ----- [herbman - 2 years ago](https://www.bleepingcomputer.com/forums/u/827130/herbman/) You cannot be serious LOL. Are you really this ridiculously clueless ? Everything you said is completely bogus, it was democrats who colluded with Russia and Ukraine helped the democrats in the 2016 election. You got to stop watching fake news, see official list of fake news below. Cnn, Msnbc,Abc,Cbs, Nbc, HuffPost, NYT, WashPost, The AP, BuzzFeed, Politico, NewsWeek, The Hill, Rolling Stone, Sky News, USA Today, Time, LA Times, Reuters, BBC, Boston Globe, Vox, The Miami Herald, Mother Jones, HLN Yahoo, MSN, NY Daily News, Vice, Univision, People, PBS, NPR, New Yorker, Wall Street Journal, Daily Beast, Bloomberg, Aurn, National Journal, BI, "Politicians And Their Families Are Playing in The Corrupt Ukrainian Sandbox" http://newswithviews.com/politicians-and-their-families-are-playing-in-the-corruptukrainian-sandbox/ "The impeachment investigation into President Donald J. Trump’s alleged quid pro quo conversation with Ukrainian President Volodymyr Zelensky is beyond the theatre of the absurd. The continued harassment and ongoing defamation against the 45th president of the United States are acts of harassment, obstruction, and treason. Democrats and the liberal mainstream fake news media have been on a perpetual witch hunt to overthrow the duly elected POTUS and their credibility has reached new lows. If the United States is to remain a republic, the Democrat Party and their liberal propaganda media puppets must be stopped." President Trump has the moral high ground and he has always been a fighter. He will not sit idly by and allow a socialist-communist coup d’etat overthrow of his presidency to occur. As President Trump has said, “They’re not really after me, they’re after you. I’m just in their way.” [http://newswithviews.com/impeach-the-enemy-within-for-treason/](http://newswithviews.com/impeach-the-enemy-within-for-treason/) ----- [Whalley_World - 2 years ago](https://www.bleepingcomputer.com/forums/u/1128131/whalley-world/) I thought this was a site for technical information, not political bickering. We certainly need relevant FACTS (verifiable) to protect ourselves from this cyber-security threat, but political finger-pointing and competing conspiracy theories will not help us here. [Lawrence Abrams - 2 years ago](https://www.bleepingcomputer.com/author/lawrence-abrams/) On topic political comments are allowed, but let's not stray from the content of the article. If it continues, I will disable comments for this article. Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: ----- -----