Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Backdoor Installation. Show all posts

Google Ads Exploited to Tempt Corporate Employees Into Installing LOBSHOT Backdoor

 

As part of a sophisticated scheme to trick corporate employees into installing malware, a newly uncovered backdoor and credential-stealer is disguising itself as a genuine software download. 

Elastic Software researchers spotted the malware, known as LOBSHOT, spreading through deceptive Google Ads for well-known remote-workforce applications like AnyDesk, they reported in a recent blog post. 

"Attackers promoted their malware using an elaborate scheme of fake websites through Google Ads and embedding backdoors in what appears to users as legitimate installers," researcher Daniel Stepanic wrote in the post. 

Additionally, LOBSHOT, a backdoor that appears to be financially motivated and steals victims' banking, cryptocurrency, and other credentials and data, appears to be the work of threat group TA505, which is known for disseminating the Clop ransomware, according to the researchers.

The DLL from download-cdn[.]com, a domain historically connected to the threat group known for its involvement in the Dridex, Locky, and Necurs operations, was run by the bogus download site used to disseminate LOBSHOT, according to the claim.

The researchers "assess with moderate confidence" that LOBSHOT is a new malware capability utilised by the gang based on this other infrastructure connected to TA505 that is used in the campaign. 

In addition, fresh samples associated with this family are being discovered by researchers every week, and they "expect it to be around for some time," he added. 

Utilising nefarious ads by Google 

Potential victims are exposed to LOBSHOT by clicking on Google Ads for what appear to be real workforce software, such AnyDesk, similar to similar threat campaigns seen earlier in the year. Similar tactics were used in January to propagate the malware-as-a-service Rhadamanthys Stealer using website redirects from Google Ads that also masqueraded as download pages for well-known remote-workforce applications like AnyDesk and Zoom.

According to Elastic Search, the campaigns are in fact connected to "a large spike" in the usage of malvertising that security researchers have been noticing since earlier this year. 

"Similar infection chains were observed in the security community with commonalities of users searching for legitimate software downloads that ended up getting served illegitimate software from promoted ads from Google," Stepanic further wrote. 

This behaviour indicates a pattern of persistent rival abuse and expansion of their influence "through malvertising such as Google Ads by impersonating legitimate software," he said. 

Stepanic recognised that while these malware kinds may appear to be minor and have a narrow scope, they actually pack a powerful punch thanks to their "fully interactive remote control capabilities" that enable threat actors to acquire initial access to corporate networks and carry out subsequent destructive activities. 

Infection chain 

When a person conducts a web search for a trustworthy piece of software, Google Ads returns a boosted result that is actually a malicious website. This is when the LOBSHOT infection chain starts. 

"In one observed instance, the malicious ad was for a legitimate remote desktop solution, AnyDesk," the researcher explained. "Careful examination of the URL goes to https://www.amydecke[.]website instead of the legitimate AnyDesk URL, https://www.anydesk[.]com." 

The consumer visits a landing page for the software they were hoping to download after clicking on that advertisement, which appears to be legitimate. 

The researchers claimed that it is actually an MSI installer that the user's PC executes after downloading. Stepanic stated that the landing pages had "very convincing branding that matched the legitimate software and had Download Now buttons that pointed to an MSI installer."

Elastic Software claims that when MSI is executed, a PowerShell is launched that downloads LOBSHOT through rundll32 and starts a connection with the attacker-owned command-and-control server. 

Exploitation and mitigation 

Attackers employ LOBSHOT's hVNC (Hidden Virtual Network Computing) component, a module that permits "direct and unobserved access to the machine," as one of its key features, to get access to targets. 

The hVNC (Hidden Virtual Network Computing) component of LOBSHOT is one of its key features. This module enables "direct and unobserved access to the machine," and is utilised by attackers to avoid detection, according to Stepanic. He added, "this feature is frequently baked into many popular families as plugins and continues to be successful in evading fraud-detection systems." 

According to the researchers, LOBSHOT, like the majority of malware currently in use, uses dynamic import resolution to get around protection software and delay the early discovery of its capabilities.

"This process involves resolving the names of the Windows APIs that the malware needs at runtime as opposed to placing the imports into the program ahead of time," Stepanic added. 

Researchers have provided links to several Elastic Search GitHub sites that illustrate preventative measures to fend off malware like LOBSHOT connected to its numerous activities, including Suspicious Windows Explorer Execution, Suspicious Parent-Child Relationship, and Windows.Trojan.Lobshot. 

The post also provides guidelines that businesses can use to build EQL searches to look for behaviours that are suspiciously similar to the ones that the researchers saw LOBSHOT execute in connection to grandparent, parent, and kid relationships.

Threat Actors Deploy Linux Backdoor on Hacked E-Stores with Software Skimmer

 

Cybersecurity researchers have uncovered a new hacking strategy that deploys a Linux backdoor on hacked e-commerce servers and exfiltrates customers' personal information, including credit card details. 

According to Sansec researchers, the hackers started automated e-commerce attack probes, testing for dozens of vulnerabilities in e-commerce websites. As soon as one is spotted, the attackers use PHP-coded web skimmer to download and insert fake payment forms into the checkout pages that the hacked online business displays to clients. 

“We found that the attacker started with automated eCommerce attack probes, testing for dozens of weaknesses in common online store platforms. After a day and a half, the attacker found a file upload vulnerability in one of the store’s plugins. S/he then uploaded a web shell and modified the server code to intercept customer data,” the Sansec threat research team stated. 

The Golang-based malware, which was unearthed on the same site by Dutch cyber-security firm Sansec, was downloaded and executed on infiltrated servers as a linux_avp executable. Once deployed, it immediately removes itself from the disk and disguises itself as a "ps -ef" process that would be used to retrieve a list of presently active processes.

While examining the linux_avp backdoor, the researchers discovered that it waits for commands from a Beijing server on Alibaba’s network. Additionally, the malware can gain persistence by inserting a new crontab entry that would redownload the malicious payload from its command-and-control server and reinstall the backdoor if detected and removed or the server restarts. 

Unfortunately, this backdoor remains undetected by anti-malware engines on VirusTotal even though a sample was first uploaded more than one month ago, on October 8th. The uploader might be the linux_avp designer since it was submitted one day after researchers discovered it while examining the e-commerce site breach.

 “Curiously, one individual had submitted the same malware to Virustotal on Oct 8th with the comment test. This was just one day after the successful breach of our customer’s store. The person uploading the malware could very well be the malware author, who wanted to assert that common antivirus engines will not detect their creation,” said researchers.