As part of a sophisticated scheme to trick corporate employees into installing malware, a newly uncovered backdoor and credential-stealer is disguising itself as a genuine software download.
Elastic Software researchers spotted the malware, known as LOBSHOT, spreading through deceptive Google Ads for well-known remote-workforce applications like AnyDesk, they reported in a recent blog post.
"Attackers promoted their malware using an elaborate scheme of fake websites through Google Ads and embedding backdoors in what appears to users as legitimate installers," researcher Daniel Stepanic wrote in the post.
Additionally, LOBSHOT, a backdoor that appears to be financially motivated and steals victims' banking, cryptocurrency, and other credentials and data, appears to be the work of threat group TA505, which is known for disseminating the Clop ransomware, according to the researchers.
The DLL from download-cdn[.]com, a domain historically connected to the threat group known for its involvement in the Dridex, Locky, and Necurs operations, was run by the bogus download site used to disseminate LOBSHOT, according to the claim.
The researchers "assess with moderate confidence" that LOBSHOT is a new malware capability utilised by the gang based on this other infrastructure connected to TA505 that is used in the campaign.
In addition, fresh samples associated with this family are being discovered by researchers every week, and they "expect it to be around for some time," he added.
Utilising nefarious ads by Google
Potential victims are exposed to LOBSHOT by clicking on Google Ads for what appear to be real workforce software, such AnyDesk, similar to similar threat campaigns seen earlier in the year. Similar tactics were used in January to propagate the malware-as-a-service Rhadamanthys Stealer using website redirects from Google Ads that also masqueraded as download pages for well-known remote-workforce applications like AnyDesk and Zoom.
According to Elastic Search, the campaigns are in fact connected to "a large spike" in the usage of malvertising that security researchers have been noticing since earlier this year.
"Similar infection chains were observed in the security community with commonalities of users searching for legitimate software downloads that ended up getting served illegitimate software from promoted ads from Google," Stepanic further wrote.
This behaviour indicates a pattern of persistent rival abuse and expansion of their influence "through malvertising such as Google Ads by impersonating legitimate software," he said.
Stepanic recognised that while these malware kinds may appear to be minor and have a narrow scope, they actually pack a powerful punch thanks to their "fully interactive remote control capabilities" that enable threat actors to acquire initial access to corporate networks and carry out subsequent destructive activities.
Infection chain
When a person conducts a web search for a trustworthy piece of software, Google Ads returns a boosted result that is actually a malicious website. This is when the LOBSHOT infection chain starts.
"In one observed instance, the malicious ad was for a legitimate remote desktop solution, AnyDesk," the researcher explained. "Careful examination of the URL goes to https://www.amydecke[.]website instead of the legitimate AnyDesk URL, https://www.anydesk[.]com."
The consumer visits a landing page for the software they were hoping to download after clicking on that advertisement, which appears to be legitimate.
The researchers claimed that it is actually an MSI installer that the user's PC executes after downloading.
Stepanic stated that the landing pages had "very convincing branding that matched the legitimate software and had Download Now buttons that pointed to an MSI installer."
Elastic Software claims that when MSI is executed, a PowerShell is launched that downloads LOBSHOT through rundll32 and starts a connection with the attacker-owned command-and-control server.
Exploitation and mitigation
Attackers employ LOBSHOT's hVNC (Hidden Virtual Network Computing) component, a module that permits "direct and unobserved access to the machine," as one of its key features, to get access to targets.
The hVNC (Hidden Virtual Network Computing) component of LOBSHOT is one of its key features. This module enables "direct and unobserved access to the machine," and is utilised by attackers to avoid detection, according to Stepanic.
He added, "this feature is frequently baked into many popular families as plugins and continues to be successful in evading fraud-detection systems."
According to the researchers, LOBSHOT, like the majority of malware currently in use, uses dynamic import resolution to get around protection software and delay the early discovery of its capabilities.
"This process involves resolving the names of the Windows APIs that the malware needs at runtime as opposed to placing the imports into the program ahead of time," Stepanic added.
Researchers have provided links to several Elastic Search GitHub sites that illustrate preventative measures to fend off malware like LOBSHOT connected to its numerous activities, including Suspicious Windows Explorer Execution, Suspicious Parent-Child Relationship, and Windows.Trojan.Lobshot.
The post also provides guidelines that businesses can use to build EQL searches to look for behaviours that are suspiciously similar to the ones that the researchers saw LOBSHOT execute in connection to grandparent, parent, and kid relationships.