Attackers are distributing an information-stealing Trojan disguised as a PDF reader that steals Facebook and Amazon session cookies as well as sensitive data from the Facebook Ads Manager.

Over the weekend, MalwareHunterTeam found numerous sites distributing a fake PDF editing program called 'PDFreader'.

Site promoting PDFreader

The executables distributed from this site are signed by a digital certificate issued by Sectigo to "Rakete Content Gmbh".

Digital signature

VirusTotal detects this Trojan as Socelars, but it also shares characteristics with other Trojans, such as AdKoob and Stresspaint, that also attempt to extract and steal Facebook data from various URLs.

According to Vitali Kremez, who analyzed this Trojan, there is not much code similarity between this Trojan and the others, so it may be inspired rather than evolved from previous infections.

"That tells it must be a newer (maybe inspired) variant or significantly improved one over the previous generation. I assess this might be only the beginning of the evolution of this type of malware targeting ad and social media providers," Kremez told BleepingCOmputer.com

Targets Facebook Ads Manager

When launched, Kremez told BleepingComputer that the Trojan will first attempt to steal Facebook sessions cookies from Chrome and Firefox by accessing the Cookies SQLite database.

Once the cookie is retrieved, it will be used to connect a variety of Facebook URLs where information is extracted.

https://www.facebook.com/bookmarks/pages?ref_type=logout_gear https://secure.facebook.com/settings https://secure.facebook.com/ads/manager/account_settings/account_billing/

The account_billing URL will be used to extract the user's account_id and access_token, which will then be used in a Facebook Graph API call to steal data from the user's Ads Manager settings.

Facebook Graph API call

The graph API call used is below:

https://graph.facebook.com/v4.0/act_{account_id}?_reqName=adaccount&_reqSrc=AdsPaymentMethodsDataLoader&fields=%5B%22all_payment_methods%7Bpayment_method_altpays%7Baccount_id%2Ccountry%2Ccredential_id%2Cdisplay_name%2Cimage_url%2Cinstrument_type%2Cnetwork_id%2Cpayment_provider%2Ctitle%7D%2Cpm_credit_card%7Baccount_id%2Ccredential_id%2Ccredit_card_address%2Ccredit_card_type%2Cdisplay_string%2Cexp_month%2Cexp_year%2Cfirst_name%2Cis_verified%2Clast_name%2Cmiddle_name%2Ctime_created%2Cneed_3ds_authorization%2Callow_manual_3ds_authorization%2Csupports_recurring_in_india%7D%2Cpayment_method_direct_debits%7Baccount_id%2Caddress%2Ccan_verify%2Ccredential_id%2Cdisplay_string%2Cfirst_name%2Cis_awaiting%2Cis_pending%2Clast_name%2Cmiddle_name%2Cstatus%2Ctime_created%7D%2Cpayment_method_extended_credits%7Baccount_id%2Cbalance%2Ccredential_id%2Cmax_balance%2Ctype%2Cpartitioned_from%2Csequential_liability_amount%7D%2Cpayment_method_paypal%7Baccount_id%2Ccredential_id%2Cemail_address%2Ctime_created%7D%2Cpayment_method_stored_balances%7Baccount_id%2Cbalance%2Ccredential_id%2Ctotal_fundings%7D%2Cpayment_method_tokens%7Baccount_id%2Ccredential_id%2Ccurrent_balance%2Coriginal_balance%2Ctime_created%2Ctime_expire%2Ctype%7D%7D%22%5D&include_headers=false&locale=it_IT&method=get&pretty=0&suppress_http_code=1

The stolen data, which consists of session cookies, access tokens, account ids, advertising email address, associated pages, credit card info (number, expiration date), PayPal email, ad balances, spending limits, etc, is then compiled and sent to the attacker's Command & Control server.

With the USA election season looming and state-sponsored actors abusing Facebook ads in the past, it is important for anyone running political campaigns to know that malware is targeting Facebook's ad infrastructure.

"Also, I think in light of the upcoming elections and intensified FB campaigns running political messages, this tool is almost like an espionage malware looking for possible political narratives (and grabbing account information)," Kremez told BleepingComputer.com.

To make matters worse, with the information stolen by the attackers, they could potentially use these stolen Facebook cookies to access accounts and use them to create their own ad campaigns.

Steals Amazon session cookies

While the main focus of this Trojan is to steal data from Facebook, the malware will also attempt to steal session cookies for Amazon.com and Amazon.co.uk.

Stealing Amazon session cookie

Unlike the Facebook routine, this cookie will simply be sent back to the attacker and will not be used by the Trojan to extract any other information. Once again, if the attacker gains access to a user's Amazon session cookie they will be able to log in as that user.

Distributed via adware bundles

As the sites promoting the 'PDFreader' program do not have active links that allow a user to download the program, BleepingComputer investigated how this malware may be distributed.

After following trail of other malware that communicated with one of the PDFreader domains, we found that many of the requests to the PDFreader domains came from adware bundles installing unwanted programs such as YeaDesktop or pretending to be copyrighted software.

As this Trojan is silently executed and performs all its tasks in the background, users will not be aware that anything was installed and will just see whatever adware or copyrighted software was downloaded.