Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Malvertising Campaign. Show all posts

Malvertising Campaign Hijacks Facebook Accounts to Propagate SYS01stealer

 

A new malvertising effort is using Meta's advertising network to disseminate the SYS01 infostealer, a cybersecurity issue known to Meta and specifically Facebook users for collecting personal information. 

What distinguishes this attack is that it targets millions of people worldwide, primarily men aged 45 and up. It successfully disguises itself as advertisements for popular software, games, and online services. This campaign, discovered in September 2024, stands out for its imitation tactics and the popular brands it exploits. 

Instead of zeroing in on a single lure, the perpetrators impersonate a wide range of well-known brands, including productivity tools like Office 365, creative software like Canva and Adobe Photoshop, VPN services like ExpressVPN, streaming platforms like Netflix, messaging apps like Telegram, and even popular video games like Super Mario Bros Wonder. 

Modus operandi 

According to Bitdefender's blog article, malicious adverts frequently lead to MediaFire links that offer direct downloads of seemingly legitimate software. These zip-archived downloads contain a malicious Electron program. 

When executed, this application drops and runs the SYS01 infostealer, frequently while presenting a fake app that replicates the advertised software. This deceitful strategy makes it harder for victims to recognise that they have been compromised. 

An Electron application is a desktop software that uses web technologies such as HTML, CSS, and JavaScript. Electron is an open-source framework built by GitHub that enables developers to build cross-platform programs that run on Windows, macOS, and Linux using a single codebase. 

However, in this attack, the Electron app employs obfuscated Javascript code and a standalone 7zip application to extract a password-protected archive containing the core malware components. This bundle contains PHP scripts used to install the infostealer and establish persistence on the victim's PC. The malware also includes anti-sandbox tests to circumvent detection by security experts. 

The primary goal of the SYS01 infostealer is to acquire Facebook credentials, particularly those associated with business accounts. These compromised accounts are then used in subsequent assaults or frauds. 

What's worse, the assault takes advantage of the hijacked accounts' advertising capabilities, allowing attackers to produce new malicious ads that appear more authentic and easily evade security filters. This sets up a self-sustaining loop in which stolen accounts are used to propagate the malware even further. The stolen credentials are likely to be sold on underground marketplaces, enriching the crooks even more.

The Surge of FakeBat Malware in Search-Based Malvertising Campaigns

 

In recent months, cybersecurity researchers have observed a concerning surge in search-based malvertising campaigns, with documented incidents nearly doubling compared to previous periods. Amidst this uptick in online threats, one particular malware variant has captured the attention of experts: FakeBat. 

This malware employs unique techniques in its distribution, posing significant challenges to cybersecurity efforts worldwide. FakeBat has emerged as a significant player in malvertising campaigns, leveraging sophisticated tactics to deceive unsuspecting victims. Unlike conventional malware strains, FakeBat stands out for its utilization of MSIX installers bundled with heavily obfuscated PowerShell code. 

This innovative approach allows threat actors to orchestrate complex attacks while evading traditional detection methods. However, recent iterations of the malware have demonstrated a shift towards more advanced redirection tactics. Threat actors now leverage a variety of redirectors, including legitimate websites, to evade security measures and increase the effectiveness of their attacks. Traditionally, malvertising campaigns targeted specific software brands. 

However, the latest wave of FakeBat attacks has exhibited a notable shift towards diversification in campaign targets. Threat actors now aim to compromise a wide range of brands, expanding their scope and posing a greater threat to businesses and individuals alike. In addition to traditional URL shorteners, FakeBat malvertising campaigns now employ dual redirection tactics. 

While continuing to abuse URL/analytics shorteners, threat actors also leverage subdomains from compromised legitimate websites. By exploiting the credibility associated with these compromised domains, threat actors can circumvent detection mechanisms and increase the success rate of their attacks. Current FakeBat campaigns frequently impersonate reputable brands such as OneNote, Epic Games, Ginger, and the Braavos smart wallet application. 

These malicious domains are often hosted on Russian-based infrastructure, further complicating detection and mitigation efforts for cybersecurity professionals. Despite ongoing efforts to detect and mitigate FakeBat attacks, threat actors continue to evolve their tactics and payloads. Upon execution, a standardized PowerShell script connects to the attacker's command and control server, allowing threat actors to catalog victims for future exploitation. 

Defending against FakeBat and other search-based malvertising threats requires a multifaceted approach. While blocking malicious payloads is crucial, addressing supporting infrastructure poses significant challenges. Implementing robust ad-blocking policies, such as ThreatDown DNS Filter, can effectively thwart malvertising attacks at their source. 

However, organizations must remain vigilant and adapt their defense strategies to counter evolving threats continually. As search-based malvertising continues to evolve, businesses and individuals must remain proactive in their cybersecurity efforts. Understanding the nuances of emerging malware variants like FakeBat and adapting defense strategies accordingly is paramount to safeguarding digital assets against evolving threats. By leveraging tested mitigation measures and collaborating with industry partners, organizations can effectively mitigate the risks posed by search-based malvertising and protect against future cyberattacks.

Malvertising Campaign Target Firefox Users via Fake Updates

 

Fillip Mouliatis, a Malwarebytes researcher has uncovered a malvertising campaign that is nearly identical to the one distributed by the FakeUpdates (SocGholish) attackers. 

However, the execution and distribution patterns are different. Unlike FakeUpdates which is driven by exploited websites to display malicious, fake browser update windows, this campaign employs malvertising. 

The malvertising campaign target users via a fake Firefox update that includes a couple of scripts and an encrypted payload. The initial executable consists of a loader that retrieves a piece of Adware identified as BrowserAssistant. This malicious payload was spotted before in an identical malvertising campaign involving the RIG exploit kit in late 2019. 

Interestingly, the attackers reused the same servers in Russia and dubbed their malvertising gates after different ad networks. 

In October 2020, security analyst ‘@na0_sec’ witnessed the “MakeMoney gate”, named after the domain makemoneywithus[.]work (188.225.75.54), redirect to the Fallout exploit kit, although it usually employed RIG EK for multiple years. 

According to Malwarebytes, it is interesting that malicious actors remained faithful to RIG EK for so long during a period when exploit kits were going out of fashion. The attackers also seemed to poke fun at the same ad networks they were exploiting, unless the choice for names linked with their campaigns was motivated by sorting out their upstream traffic. 

However, this particular social engineering campaign could use some improvements to remove some blatant typos while their server-side infrastructure could be tidied up, Filip Mouliatis stated. 

Last year in December 2021, a Malvertising campaign targeted Chrome users via malicious extensions. These extensions, were manufactured to impersonate popular applications, and create backdoors in the software that malicious actors could exploit to exfiltrate personal identifiable information (PII) data.

Magnat, the authors of this malicious campaign specifically targeted users searching for popular software via search engines. Once the victim clicked on a malicious link to a fake installer, their endpoint was compromised with a password stealer called "RedLineStealer," as well as a Chrome extension known as "MagnatExtension” designed to log keystrokes and capture screenshots. 

To mitigate the risks, avoid clicking on ads promising things that seems suspicious. Only click on those ads that look like they were created by a professional graphic designer. Experts also suggest not to click on ads that have spelling errors.

Russian Hackers Employ Malicious Traffic Direction Systems to Spread Malware



Researchers have discovered possible linkages among a subscription-based crimeware-as-a-service (Caas) solution as well as a cracked copy of Cobalt Strike according to what they presume is being offered as a tool for customers to stage post-exploitation operations. 

Prometheus is an open-source activity monitoring and warning system for cloud applications that are based on metrics. Nearly 800 cloud-native companies, namely Uber, Slack, Robinhood, as well as others, employ it. 

Prometheus offers convenient observation of a system's state along with hardware and software metrics like memory use, network utilization, and software-specific defined metrics by scraping real-time information from numerous endpoints (ex. number of failed login attempts to a web application).

Prometheus has an understood policy of omitting built-in support for security features like authentication and encryption because the numeric metrics it collects are not deemed sensitive data. This allows the company to focus on creating monitoring-related services. It's being advertised on Russian underground forums as a traffic direction system (TDS) which allows bulk phishing redirection to rogue landing pages, designed to deliver malware payloads on targeted computers for $250 per month. 

"A system of a malicious technology, malicious email circulation, illicit folders across authorized platforms, traffic diversion, and the capacity to deliver infected files are the significant elements of Prometheus," the BlackBerry Research and Intelligence Team stated in a report. 

The redirection comes from one of two places: malicious advertisements on normal websites, or websites that have been tampered with to install harmful code. The attack network begins with a spam email that contains an HTML file or a Google Docs page; when opened, it redirects the victim to a compromised website that hosts a PHP backdoor fingerprint smudges the machine to determine whether to serve the victim with malware or redirect the user to another page that may contain a phishing scam.

While TDS's aren't a novel concept, the level of sophistication, support, and cheap financial cost lend validity to the hypothesis that this is a trend that will likely emerge in the threat environment in the near future, the researchers wrote.

In addition to enabling these techniques, it is strongly advised for anyone with a Prometheus implementation to query the previously listed endpoints to see if sensitive data was exposed before the identification and TLS functionalities in Prometheus were implemented.

Cinobi Banking Malware Targets Japanese Cryptocurrency Exchange Users via Malvertising Campaign

 

Researchers at Trend Micro discovered a new social engineering-based malvertising campaign targeting Japanese users with a malicious application disguised as a free porn game, a reward points application, or a video streaming app. 

The malicious application uses a sideloading methodology to show the victim arbitrary web pages and ultimately deploy the Cinobi banking trojan. Researchers say that the malvertising campaign shares much in common with the Cinobi banking trojan they identified last year, but consider it to be a rebranded version of it. The campaign’s configuration remained the same, except that it targets a list of cryptocurrency exchange websites in Japan.

Last year, researchers at Trend Micro unearthed a new banking trojan which was dubbed as Cinobi Banking Trojan. The banking malware was a part of a campaign called “Operation Overtrap”. The campaign was operated by a malicious group known as “Water Kappa”. The malicious group has deployed the trojan in two ways: either via spam or making use of the Bottle exploit kit that contained CVE-2020-1380 and CVE-2021-26411 (2 Internet Explorer exploits). Interestingly, only Internet Explorer users were targeted through these malvertising attacks. 

Throughout 2020 and the first half of 2021, researchers noticed limited activity from the malicious group, with traffic decreasing during the middle of June — possibly suggesting that the group was turning to new tools and techniques. Earlier this month, researchers discovered the banking malware targeting users in Japan by abusing sideloading bugs. Researchers at TrendMicro believe that the same attackers that engaged in the “Operation Overtrap” campaign are behind this new one.

The malvertising campaign targets users by sending malvertisements with five different themes. These malvertisements trick victims into installing the same archive with the malware files. After the victim clicks the download button (“index.clientdownload.windows”), the site downloads the ZIP archive for the main executable file.

Researchers noted that the malicious website can be accessed only via Japanese IP addresses and that malicious threat actors behind the malvertising campaign are trying to steal cryptocurrency as  Cryptocurrency accounts’ credentials are now what hackers want to obtain by deploying the banking trojan called Cinobi. 

Threat actors have designed few more versions of banking malware with slight differences. The most important is the configuration file responsible for the form-grabbing functionality. The banking trojan has been spotted targeting users of 11 Japanese financial institutions, including banks and cryptocurrency trading companies. To avoid getting infected, researchers advised users to be extra cautious of suspicious advertisements and install only legitimate applications from trusted sources.