Skip to content

Sponsored Facebook ads spread password-stealing malware masked as Google Bard

Everyone is excited to use the latest AI tools and hackers know it. Offering ChatGPT, Bing or Google Bard with latest features became a popular theme of phishing campaigns. The campaigns are getting more sophisticated, combining several techniques, tools and legitimate services to avoid most detections. Their goal remains the same, though: to trick people into downloading malicious software or giving up their account passwords.

A legitimate look hiding a malicious installer

This particular threat masquerades as Google Bard and shows itself as a paid Facebook ad. Furthermore, bot accounts in comments are recommending it to spread the message.

The webpage is made using Google Sites, therefore looking trustworthy and based on actual Google domain. However, the download link on the site points to a file hosted on Trello and downloads a malicious installer.

Sponsored Facebook ads spread password-stealing malware masked as Google Bard

Only the name gives it away

The malware is highly evasive, currently undetected by any VirusTotal engines. What might give it away before installation, however, is the naming of the file – while the page advertised Bard, the installer is installing Meta Ads Manager.

A rogue browser extension to wreak havoc

After finishing the installation, that only serves as a decoy, the malware plants a rogue browser extension masked as “Google Translate” and opens a Facebook login page – stealing your password, login session, and anything else you from now input into the browser. 

To collect the stolen data, the malware uses domains on Firebase, which are blocked by Whalebone protective DNS. Therefore, even if the antivirus does not catch the installer, the attacker won’t receive your passwords if you are protected by Whalebone-based security products.