- Attackers are spreading fake cryptocurrency trading apps using Facebook ads to deliver Malware targeting user credentials and wallets.
- The malware, called JSCEAL, is delivered through a multi-step infection process and is difficult to detect and analyze.
- The campaign uses both stolen and new Facebook accounts and has been active since at least March 2024, according to security researchers.
- JSCEAL steals sensitive data, injects malicious code into websites, and can take full control of infected devices.
- Researchers warn that this malicious software can bypass many traditional security tools by hiding its code within JavaScript files.
Cybersecurity researchers have identified an ongoing campaign using fake cryptocurrency trading applications to distribute malware that aims to steal users’ credentials and digital wallet information. These attacks are primarily spread through a large volume of malicious advertisements on Facebook, luring victims to install the infected software.
The malware, named JSCEAL, uses a complex, multi-layered infection process to avoid detection. The attackers break up the installer’s functions, placing significant portions within JavaScript code found on compromised websites. According to a detailed analysis from Check Point, this approach allows the attackers to adjust their methods and payloads at different stages of the attack.
Some aspects of this operation have been previously reported by Microsoft and WithSecure. WithSecure, which tracks the campaign as WEEVILPROXY, reported that it has been active since March 2024. The attack chain uses script-based fingerprinting and unique execution requirements, including simultaneous activity on both the malicious site and the installer, which increases the difficulty of detecting or analyzing the malware.
Clicking on the links in the malicious Facebook ads begins a series of redirections, eventually sending users to fake sites that replicate well-known trading services or, if the user’s IP or web traffic does not meet specific criteria, to a decoy page. The fake websites host JavaScript files that communicate with a local server on the victim’s device and monitor the installation process, ensuring all malicious components are running as required.
The malicious installer drops several DLL files and establishes a local server to process commands from the website. This infrastructure means that if any part fails, the infection does not proceed. To avoid suspicion, the installer opens a legitimate-looking web page for the targeted application through Microsoft Edge’s proxy process.
The JSCEAL malware then collects system data, browser cookies, passwords, and more, sending the information to attackers using a PowerShell-based backdoor. If the targeted device is valuable, the infection proceeds to run JSCEAL using Node.js, enabling further malicious activity.
The malware sets up a proxy to intercept and modify web traffic, especially for banking and cryptocurrency sites, to steal credentials in real time. Other features include stealing Telegram data, capturing screenshots or keystrokes, and manipulating cryptocurrency wallets. Check Point described JSCEAL as resilient and able to evade standard security tools, largely because the attackers heavily obscure their code in JavaScript files, making detection and analysis difficult.
For more technical details, visit Check Point’s full analysis.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Chainlink (LINK) Eyes $28 as Bullish Momentum Builds for August
- Bank of Korea Renames Digital Currency Unit, Eyes Stablecoin Bills
- Kraken Seeks $15B Valuation, Benchmarking Binance Above $100B
- Trump’s Crypto Group Urges Immediate Federal Clarity on Trading Rules
- FunkSec Ransomware Decryptor Released, Victims Regain Files Free
