Sponsored Facebook-ads spread password-stealing malware, disguised as Google Gemini

The allure of the latest AI tools is universal, and cybercriminals are capitalizing on this enthusiasm. Offering ChatGPT, Bing, or Google Gemini (former Google Bard) with enhanced functionalities has become a recurring theme in phishing campaigns. These campaigns are progressively more sophisticated, incorporating multiple techniques, tools, and reputable services to elude most detection methods. Nevertheless, their ultimate objective remains unaltered: to deceive individuals into downloading malicious software or surrendering their account credentials. Whalebone protective DNS provides the solution here.

A convincing facade that hides a malicious installer

This specific threat assumes the guise of Google Gemini (former Google Bard) and presents itself as a paid Facebook advertisement. Additionally, bot accounts in the comment section endorse it to spread the message. The webpage is constructed using Google Sites, lending it an air of credibility and association with a legitimate Google domain.

However, the download link on the site directs users to a file hosted on Trello, ultimately delivering a malicious installer. Sponsored Facebook advertisements disseminate password-stealing malware disguised as Google Gemini.

Only the filename gives it away

The malware exhibits exceptional evasiveness, currently remaining undetected by any Virus Total scanning engines. What may potentially reveal its true nature prior to installation, however, is the nomenclature of the file. While the advertised page promotes Gemini, the installer actually deploys Meta Ads Manager.

A deceitful browser extension to spread chaos

Upon completing the installation, which essentially serves as a smokescreen, the malware implants a rogue browser extension disguised as “Google Translate” and prompts a Facebook login page. This enables it to steal your password, login session, and any data you subsequently input into the browser.

To collect the data, the malware relies on domains hosted on Firebase. These domains are effectively blocked by Whalebone protective DNS. Consequently, even if the antivirus system fails to detect the installer, your passwords remain beyond the reach of the attacker when safeguarded by Whalebone-based security products.

Still have questions?

Feel free to contact us  at sales@kappadata.be and we will be happy to help!