Cybercriminals use online advertisements for fake versions of popular software to trick users into downloading three forms of malware, including a malicious browser extension with the same capabilities as a Trojan horse, providing attackers with usernames and passwords, as well as remote backdoor access to the infected. Windows PC.
The attacks, which distribute two forms of custom-developed and apparently undocumented malware, were detailed by Cisco cybersecurity researchers Talos, who dubbed the campaign “tycoon.” It appears that the campaign has worked in one form or another since 2018 and the malware has been in continuous development. More than half of the victims are in Canada, but there are also victims around the world, be it in the United States, Europe, Australia and Nigeria.
Researchers believe that victims are tricked into downloading the malware through malicious online advertisements, which trick them into downloading fake installers of popular software onto their systems. Users are likely to search for legitimate versions of software, but advertisements direct them to malicious versions.
Fake versions of Viber and WeChat
Among the software that users are tricked into downloading are fake versions of messaging apps like Viber and WeChat, as well as fake installers of popular video games like Battlefield. The installer does not install the advertised software, but rather three forms of malware: a password stealer, a backdoor, and a malicious browser extension, which allows you to record keystrokes and take screenshots. Screen of what the infected user is seeing.
The password stealer distributed in the attacks is known as Redline, a relatively common malware that steals all usernames and passwords it finds on the infected system. Tycoon previously distributed another password stealer, Azorult. The switch to Redline is likely due to the fact that Azorult, like many other forms of malware, stopped working properly after the release of Chrome 80 in February 2020.
While password stealers are basic out-of-the-box malware, the hitherto undocumented backdoor installer, which researchers have dubbed MagnatBackdoor, appears to be a more personalized form of software. Malicious malware that has been distributed since 2019, although there are times when the distribution has ceased for months.
Magnat rear door
MagnatBackdoor configures the infected Windows system to allow stealth access to Remote Desktop Protocol (RDP), as well as to add a new user and schedule the system to ping a command-and-control server run by attackers at regular intervals. The backdoor allows attackers to secretly gain remote access to the PC when necessary.
The third payload is a downloader for a malicious Google Chrome extension, which the researchers dubbed MagnatExtension. The extension is provided by the attackers and does not come from the Chrome Extension Store.
This extension contains several ways to steal data directly in the web browser, including the ability to take screenshots, steal cookies, steal information entered in forms, as well as a keylogger, which records everything the user types in the browser. All this information is then sent back to the attackers.
The researchers compared the extension’s capabilities to a banking Trojan. They suggest that the ultimate goal of malware is to obtain user credentials, either for sale on the dark web or for further exploitation by attackers. The cybercriminals behind MagnatBackdoor and MagnatExtension have spent years developing and updating malware and it is likely to continue.
“These two families have been the object of constant development and improvement by their authors; This is probably not the last time we hear about them, ”says Tiago Pereira, security researcher at Cisco Talos.
“We believe these campaigns use malicious advertising as a way to reach users who are interested in keywords related to the software and present them with links to download popular software. This type of threat can be very effective and requires the implementation of several layers of security controls, such as endpoint protection, network filtering and security awareness sessions, ”he explains.
Woodmart Theme Nulled, WP Reset Pro, Newspaper 11.2, Newspaper – News & WooCommerce WordPress Theme, Premium Addons for Elementor, Rank Math Seo Pro Weadown, WeaPlay, WordPress Theme, Plugins, PHP Script, Jannah Nulled, Elementor Pro Weadown, Woocommerce Custom Product Ad, Business Consulting Nulled, Jnews 8.1.0 Nulled, Avada 7.4 Nulled, Nulledfire, Dokan Pro Nulled, Yoast Nulled, Flatsome Nulled, PW WooCommerce Gift Cards Pro Nulled, Astra Pro Nulled, Woodmart Theme Nulled, Slider Revolution Nulled, Wordfence Premium Nulled, Elementor Pro Weadown, Wpml Nulled, Consulting 6.1.4 Nulled, Fs Poster Plugin Nulled