Malwarebytes Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 30 May 2024 18:00:46 +0000 en-US hourly 1 https://wordpress.org/?v=73959 200474804 Fraudsters Are Running a Malicious Advertising Campaign through Google Search https://gridinsoft.com/blogs/malicious-campaign-through-google-search/ https://gridinsoft.com/blogs/malicious-campaign-through-google-search/#respond Fri, 22 Jul 2022 10:08:22 +0000 https://gridinsoft.com/blogs/?p=9560 Malwarebytes, an information security company, has discovered a large malicious campaign that skillfully uses ads and Google search. A phishing campaign using Windows tech support is spreading through Google Ads. Let me remind you that we wrote that Companies in the EU will have to remove Google Analytics from their websites, and also that Google… Continue reading Fraudsters Are Running a Malicious Advertising Campaign through Google Search

The post Fraudsters Are Running a Malicious Advertising Campaign through Google Search appeared first on Gridinsoft Blog.

]]>
Malwarebytes, an information security company, has discovered a large malicious campaign that skillfully uses ads and Google search. A phishing campaign using Windows tech support is spreading through Google Ads.
What makes this campaign stand out is the fact that it exploits a very common search behavior when it comes to navigating the web: looking up a website by name instead of entering its full URL in the address bar. The threat actors are abusing Google’s ad network by purchasing ad space for popular keywords and their associated typos. A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result).Malwarebytes experts write.

Let me remind you that we wrote that Companies in the EU will have to remove Google Analytics from their websites, and also that Google Has Disabled Some of the Global Cache Servers in Russia.

When searched for “YouTube“, the first ad contains the correct youtube.com URL and shows additional ads below the link.

Malicious Campaign through Google Search

However, the link will take you to a Windows Defender tech support phishing page.

The scam sites are located at the URLs “http://matkir[.]ml” and “http://159.223.199[.]181/” and warns visitors that “Windows has been locked down due to questionable activity” as well as that “Windows Defender detected a Trojan spyware called Ads.financetrack(2).dll“.

Malicious Campaign through Google Search

If the user is using a VPN, the site will redirect them to the official YouTube website. When calling the specified number, the “support specialist” offered to download and install TeamViewer on the device. The scammer is likely using TeamViewer to take control of the victim’s computer in order to “fix” the bug.

In most cases, the scammer will block the device or report that the computer is infected and you need to purchase a license for technical support. Currently, the malicious campaign is still ongoing in Google search. Google has not commented on this situation.

The most popular search terms used for the campaign are:

  1. YouTube;
  2. Amazon;
  3. Facebook;
  4. Walmart.

The post Fraudsters Are Running a Malicious Advertising Campaign through Google Search appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/malicious-campaign-through-google-search/feed/ 0 9560
Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware https://gridinsoft.com/blogs/powershell-rat-malware/ https://gridinsoft.com/blogs/powershell-rat-malware/#respond Wed, 18 May 2022 09:30:50 +0000 https://gridinsoft.com/blogs/?p=7913 An unknown hacker attacked German users who are interested in information about the Russian invasion of Ukraine, infecting them with PowerShell RAT malware (more precisely, a remote access trojan) and stealing their data. Let me remind you that we wrote that Hacker groups split up: some of them support Russia, others Ukraine, and also that… Continue reading Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware

The post Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware appeared first on Gridinsoft Blog.

]]>
An unknown hacker attacked German users who are interested in information about the Russian invasion of Ukraine, infecting them with PowerShell RAT malware (more precisely, a remote access trojan) and stealing their data.

Let me remind you that we wrote that Hacker groups split up: some of them support Russia, others Ukraine, and also that Shuckworm hackers attack Ukrainian organizations with a new variant of Pteredo backdoor.

This malicious campaign uses a decoy website to lure the user to a fake news article with unreleased information about the situation in Ukraine. The site contains a malicious document that installs a RAT with the ability to remotely execute commands and file operations. The campaign was exposed by Malwarebytes threat analysts who provided all the details and signs of compromise in their report.

The cybercriminal registered a domain for the collaboration-bw[.]de phishing site after the real domain expired and cloned the look and feel of the real site.

A site visitor can find a malicious download called “2022-Q2-Bedrohungslage-Ukraine” with information about the situation in Ukraine.

PowerShell RAT malware

According to the text, the document is constantly updated with new information and the user is strongly advised to download a fresh copy every day. The downloaded ZIP archive contains a CHM file that consists of several compiled HTML files. A fake error message is thrown when opening the file.

At this time, in the background, the file runs PowerShell and Base64 deobfuscator, which leads to the extraction and execution of malicious code from a fake site.

PowerShell RAT malware

As a result, the script downloads two files to the victim’s computer: a RAT in the form of a .txt file and a .cmd file that helps execute malicious code through PowerShell.

The PowerShell RAT hides in Status.txt and begins its malicious operation by collecting basic system information and assigning a unique client ID. The stolen information is then exfiltrated into the German domain kleinm[.]de. To bypass Windows AMSI (Anti-malware Scan Interface), RAT uses an AES encrypted bypass function that will be decrypted immediately using a generated key.

The main features of the RAT are the following:

  1. Download files from C2 server (Command and Control, C&C);
  2. Uploading files to C2 server;
  3. Loading and executing a PowerShell script;
  4. Execution of certain commands.

Malwarebytes does not provide specific examples of the use of RAT in practice, so the goals of the campaign remain unknown.

It is difficult to attribute malicious activity to a specific actor. Based on motivation alone, we surmise that a Russian attacker may be targeting German users, but without clear links in the infrastructure or resemblance to known TTPs.Malwarebytes explains in the report.

The user needs to be careful when downloading files from the Internet, as even well-known and previously trusted websites may have quietly changed owners. When it comes to news sites, the offer to download material in document format can be seen as a potential threat.

The post Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/powershell-rat-malware/feed/ 0 7913
REvil ransomware operators attacked Acer and demand $50,000,000 https://gridinsoft.com/blogs/revil-ransomware-attacked-acer/ https://gridinsoft.com/blogs/revil-ransomware-attacked-acer/#respond Mon, 22 Mar 2021 16:56:15 +0000 https://blog.gridinsoft.com/?p=5283 The REvil ransomware attacked the Taiwanese company Acer (the sixth-largest computer manufacturer in the world, accounting for about 6% of all sales). Cybercriminals are demanding from the manufacturer $50,000,000, which is the largest ransom in history. At the end of last week, the hackers posted a message on their website that they had hacked Acer,… Continue reading REvil ransomware operators attacked Acer and demand $50,000,000

The post REvil ransomware operators attacked Acer and demand $50,000,000 appeared first on Gridinsoft Blog.

]]>
The REvil ransomware attacked the Taiwanese company Acer (the sixth-largest computer manufacturer in the world, accounting for about 6% of all sales). Cybercriminals are demanding from the manufacturer $50,000,000, which is the largest ransom in history.

At the end of last week, the hackers posted a message on their website that they had hacked Acer, and as proof of this statement, they shared screenshots of the files allegedly stolen from the company. Published images include documents, financial spreadsheets, bank balances, and messages.

ransomware REvil attacked Acer

Acer representatives have already commented on what is happening, but so far they avoid talking openly about the ransomware attack. Instead, the company said it had already reported the “emergency” to law enforcement agencies, but they cannot disclose details while the investigation continues.

Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries. We have continuously enhanced our cybersecurity infrastructure to protect business continuity and information integrity. We urge all companies and organizations to adhere to cyber security disciplines and best practices and be vigilant to any network activity abnormalities. reported Acer representatives.

The Record reports that analysts at Malwarebytes were able to track down another hacker site on the darknet, where victims are negotiating a ransom with attackers. Here you can see that the Acer representative was shocked by the demand of $50 million, and the negotiations were at an impasse. Journalists note that at some point, REvil operators turned to threats and vaguely advised Acer “not to repeat the fate of SolarWinds”.

ransomware REvil attacked Acer

The $50,000,000 ransom is the largest to date. The previous “record” was $30,000,000: the same REvil operators demanded the same amount from the hacked Dairy Farm company.

According to Bleeping Computer, specialist Vitaly Kremez discovered that some time ago, the REvil hack group was targeting a Microsoft Exchange server in the Acer domain.

Recently, the attackers behind the DearCry ransomware have already exploited ProxyLogon vulnerabilities to deploy the ransomware on vulnerable systems of small companies. Probably the REvil operators could have gone the same way.

Let me remind you that REvil spokesman boasts that hackers have access to ballistic missile launch systems.

The post REvil ransomware operators attacked Acer and demand $50,000,000 appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/revil-ransomware-attacked-acer/feed/ 0 5283
Hackers force users to solve CAPTCHA https://gridinsoft.com/blogs/hackers-force-users-to-solve-captcha/ https://gridinsoft.com/blogs/hackers-force-users-to-solve-captcha/#respond Wed, 24 Jun 2020 16:45:28 +0000 https://blog.gridinsoft.com/?p=3970 Microsoft analysts have discovered a malicious campaign, in which hackers force users to solve CAPTCHA before they gain access to malicious content in an Excel document. This file contains macros that install on the victims’ machines GraceWire Trojan, which steals confidential information (for example, passwords). Responsibility for this campaign is put on the hacking group… Continue reading Hackers force users to solve CAPTCHA

The post Hackers force users to solve CAPTCHA appeared first on Gridinsoft Blog.

]]>
Microsoft analysts have discovered a malicious campaign, in which hackers force users to solve CAPTCHA before they gain access to malicious content in an Excel document. This file contains macros that install on the victims’ machines GraceWire Trojan, which steals confidential information (for example, passwords).

Responsibility for this campaign is put on the hacking group Chimborazo, which experts have been observing since January this year.

This campaign was named Chimborazo Dudear. Initially, hackers acted according to the classical scheme and applied malicious Excel documents to phishing emails. Then they switched to links embedded in messages. In recent weeks, the group began sending out phishing emails containing links to redirecting sites (usually legitimate resources that were hacked), and sometimes an HTML attachment containing a malicious iframe is attached to the emails.

Hackers force to solve CAPTCHA
Scheme of the attack

By clicking on such a link or opening an attachment, the victim will in any case be taken to the site with the download of a malicious file. However, before accessing the file itself, the user will be forced to solve CAPTCHA.

Thus, the attackers tried to impede the work of automatic defense mechanisms, which should detect and block such attacks. Typically, this analysis is performed using bots that download malware samples, run them, and analyze them on virtual machines. CAPTCHA guarantees that a living person will load the malware sample”, — say Microsoft analysts.

Let me remind you, that by the way, 82.5% of Microsoft Exchange servers are still vulnerable.

In January of this year, Security Intelligence specialists already wrote about the attacks by the Chimborazo group. Researchers then said that a hacker group uses IP address tracking to identify computers from which they downloaded a malicious Excel file. Presumably, this was also done in order to avoid automatic detection.

Malwarebytes expert Jérôme Segura writes that the use of CAPTCHA by hackers is a rare but not unprecedented case. For example, he refers to a tweet from another information security specialist, dated late December 2019. Then, was also discovered a fake CAPTCHA, which the attackers successfully used to complicate the work of automatic analysis.

Hackers force to solve CAPTCHA

Discovered by Microsoft CAPTCHA may also be fake. As you can see in the picture above, the attacker site claims to use reCAPTCHA, but below it is stated that Cloudflare provides protection against DDoS attacks. These are two separate services, although it is possible that the hackers used both separately.

The post Hackers force users to solve CAPTCHA appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hackers-force-users-to-solve-captcha/feed/ 0 3970