Cybercriminals use fake versions of popular software online advertisements to trick users into downloading three forms of malware, including malicious browser extensions that have the same functionality as Trojans. . Windows PC.
The attack, which distributes two forms of custom-developed and clearly undocumented malware, was described in detail by Cisco cybersecurity researcher Talos, who called the campaign a “big game.” As of 2018, the campaign has been working in one form or another and the malware seems to be continually growing. More than half of the victims are in Canada, but there are victims all over the world, whether in the United States, Europe, Australia or Nigeria.
Researchers believe that victims are tricked into downloading malware through malicious online advertisements and downloading fake installers of popular software onto their systems. Users can search for a legitimate version of the software, but the advertisement leads to a malicious version.
Fake versions of Viber and WeChat
The software that users are tricked into downloading includes fake versions of messaging apps like Viber and WeChat, as well as fake installers for popular video games like Battlefield. The installer does not install the advertised software, but it does install three forms of malware: password stealers, backdoors, and malicious browser extensions that can record and take screenshots of keystrokes. The screen of what the infected user is seeing.
The password stealer distributed in the attack is known as Redline. This is a relatively common malware that steals all usernames and passwords found on infected systems. Tycoon previously distributed another password stealer, Azorult. The switch to Redline, like many other forms of malware, may be due to Azorult not performing well after the release of Chrome 80 in February 2020.
Password stealers are basic out-of-the-box malware, but the previously undocumented backdoor installer (researchers call it MagnatBackdoor) appears to be a more personalized form of software. Distribution has been suspended for several months.
MagnatBackdoor configures an infected Windows system to allow stealth access to Remote Desktop Protocol (RDP), adds new users, and schedules the system to ping and monitor servers on a regular basis. Back doors allow an attacker to secretly access a remote PC if necessary.
The third payload is a malicious Google Chrome extension downloader, which researchers have called the Tycoon extension. The extension was provided by the attacker and not by the Chrome Extensions Store.
This extension includes several ways to steal data directly from a web browser, such as taking screenshots, stealing cookies, stealing information entered in forms, and keystroke loggers that record everything a user types in a browser. All this information is sent back to the attacker.
The researchers compared the functionality of the extension to a banking Trojan. They suggest that the ultimate goal of the malware is to obtain user credentials for sale on the dark web or for further exploitation by attackers. The cybercriminals behind Magnat Backdoor and Magnat Extension have spent years developing and updating malware, and they can continue to do so.
Cisco Talos security researcher Tiago Pereira said:
“We believe these campaigns use malicious advertising as a means of reaching users interested in software-related keywords and providing links to download popular software. The threats are very effective and require the implementation of multiple layers of security controls, such as endpoint protection, network filtering and security awareness sessions, ”he explains.
This malware spreads through bogus downloads.
Rank Math Seo Pro Weadown, Wordfence Premium Nulled, Yoast Nulled, PHP Script, Fs Poster Plugin Nulled, Astra Pro Nulled,Woodmart Theme Nulled, Wpml Nulled, Avada 7.4 Nulled, Woodmart Theme Nulled, PW WooCommerce Gift Cards Pro Nulled, Elementor Pro Weadown, Newspaper – News & WooCommerce WordPress Theme, Nulledfire, Slider Revolution Nulled, Elementor Pro Weadown, Jnews 8.1.0 Nulled, WeaPlay, Business Consulting Nulled, WP Reset Pro, Newspaper 11.2, Flatsome Nulled, Woocommerce Custom Product Ad, Premium Addons for Elementor, Jannah Nulled, Consulting 6.1.4 Nulled, Plugins, WordPress Theme, Dokan Pro Nulled