Let me remind you that we wrote that Companies in the EU will have to remove Google Analytics from their websites, and also that Google Has Disabled Some of the Global Cache Servers in Russia.

When searched for “YouTube“, the first ad contains the correct youtube.com URL and shows additional ads below the link.

However, the link will take you to a Windows Defender tech support phishing page.

The scam sites are located at the URLs “http://matkir[.]ml” and “http://159.223.199[.]181/” and warns visitors that “Windows has been locked down due to questionable activity” as well as that “Windows Defender detected a Trojan spyware called Ads.financetrack(2).dll“.

If the user is using a VPN, the site will redirect them to the official YouTube website. When calling the specified number, the “support specialist” offered to download and install TeamViewer on the device. The scammer is likely using TeamViewer to take control of the victim’s computer in order to “fix” the bug.

In most cases, the scammer will block the device or report that the computer is infected and you need to purchase a license for technical support. Currently, the malicious campaign is still ongoing in Google search. Google has not commented on this situation.

The most popular search terms used for the campaign are:

1. YouTube;
2. Amazon;
3. Facebook;
4. Walmart.

The post Fraudsters Are Running a Malicious Advertising Campaign through Google Search appeared first on Gridinsoft Blog.

Let me remind you that we wrote that Hacker groups split up: some of them support Russia, others Ukraine, and also that Shuckworm hackers attack Ukrainian organizations with a new variant of Pteredo backdoor.

This malicious campaign uses a decoy website to lure the user to a fake news article with unreleased information about the situation in Ukraine. The site contains a malicious document that installs a RAT with the ability to remotely execute commands and file operations. The campaign was exposed by Malwarebytes threat analysts who provided all the details and signs of compromise in their report.

The cybercriminal registered a domain for the collaboration-bw[.]de phishing site after the real domain expired and cloned the look and feel of the real site.

A site visitor can find a malicious download called “2022-Q2-Bedrohungslage-Ukraine” with information about the situation in Ukraine.

According to the text, the document is constantly updated with new information and the user is strongly advised to download a fresh copy every day. The downloaded ZIP archive contains a CHM file that consists of several compiled HTML files. A fake error message is thrown when opening the file.

At this time, in the background, the file runs PowerShell and Base64 deobfuscator, which leads to the extraction and execution of malicious code from a fake site.

As a result, the script downloads two files to the victim’s computer: a RAT in the form of a .txt file and a .cmd file that helps execute malicious code through PowerShell.

The PowerShell RAT hides in Status.txt and begins its malicious operation by collecting basic system information and assigning a unique client ID. The stolen information is then exfiltrated into the German domain kleinm[.]de. To bypass Windows AMSI (Anti-malware Scan Interface), RAT uses an AES encrypted bypass function that will be decrypted immediately using a generated key.

The main features of the RAT are the following:

1. Download files from C2 server (Command and Control, C&C);
2. Uploading files to C2 server;
3. Loading and executing a PowerShell script;
4. Execution of certain commands.

Malwarebytes does not provide specific examples of the use of RAT in practice, so the goals of the campaign remain unknown.

The user needs to be careful when downloading files from the Internet, as even well-known and previously trusted websites may have quietly changed owners. When it comes to news sites, the offer to download material in document format can be seen as a potential threat.

The post Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware appeared first on Gridinsoft Blog.

At the end of last week, the hackers posted a message on their website that they had hacked Acer, and as proof of this statement, they shared screenshots of the files allegedly stolen from the company. Published images include documents, financial spreadsheets, bank balances, and messages.

Acer representatives have already commented on what is happening, but so far they avoid talking openly about the ransomware attack. Instead, the company said it had already reported the “emergency” to law enforcement agencies, but they cannot disclose details while the investigation continues.

The Record reports that analysts at Malwarebytes were able to track down another hacker site on the darknet, where victims are negotiating a ransom with attackers. Here you can see that the Acer representative was shocked by the demand of $50 million, and the negotiations were at an impasse. Journalists note that at some point, REvil operators turned to threats and vaguely advised Acer “not to repeat the fate of SolarWinds”.

The $50,000,000 ransom is the largest to date. The previous “record” was $30,000,000: the same REvil operators demanded the same amount from the hacked Dairy Farm company.

According to Bleeping Computer, specialist Vitaly Kremez discovered that some time ago, the REvil hack group was targeting a Microsoft Exchange server in the Acer domain.

Recently, the attackers behind the DearCry ransomware have already exploited ProxyLogon vulnerabilities to deploy the ransomware on vulnerable systems of small companies. Probably the REvil operators could have gone the same way.

Let me remind you that REvil spokesman boasts that hackers have access to ballistic missile launch systems.

The post REvil ransomware operators attacked Acer and demand $50,000,000 appeared first on Gridinsoft Blog.

Responsibility for this campaign is put on the hacking group Chimborazo, which experts have been observing since January this year.

This campaign was named Chimborazo Dudear. Initially, hackers acted according to the classical scheme and applied malicious Excel documents to phishing emails. Then they switched to links embedded in messages. In recent weeks, the group began sending out phishing emails containing links to redirecting sites (usually legitimate resources that were hacked), and sometimes an HTML attachment containing a malicious iframe is attached to the emails.

By clicking on such a link or opening an attachment, the victim will in any case be taken to the site with the download of a malicious file. However, before accessing the file itself, the user will be forced to solve CAPTCHA.

Thus, the attackers tried to impede the work of automatic defense mechanisms, which should detect and block such attacks. Typically, this analysis is performed using bots that download malware samples, run them, and analyze them on virtual machines. CAPTCHA guarantees that a living person will load the malware sample”, — say Microsoft analysts.

Let me remind you, that by the way, 82.5% of Microsoft Exchange servers are still vulnerable.

In January of this year, Security Intelligence specialists already wrote about the attacks by the Chimborazo group. Researchers then said that a hacker group uses IP address tracking to identify computers from which they downloaded a malicious Excel file. Presumably, this was also done in order to avoid automatic detection.

Malwarebytes expert Jérôme Segura writes that the use of CAPTCHA by hackers is a rare but not unprecedented case. For example, he refers to a tweet from another information security specialist, dated late December 2019. Then, was also discovered a fake CAPTCHA, which the attackers successfully used to complicate the work of automatic analysis.

Discovered by Microsoft CAPTCHA may also be fake. As you can see in the picture above, the attacker site claims to use reCAPTCHA, but below it is stated that Cloudflare provides protection against DDoS attacks. These are two separate services, although it is possible that the hackers used both separately.

The post Hackers force users to solve CAPTCHA appeared first on Gridinsoft Blog.