Ov3r_Stealer Abuses Facebook Job Ads

Scammers use elaborate job ads posted on Facebook. These seem legitimate at first glance and target a wide range of job seekers with the promise of lucrative opportunities. As the experts at Trustwave clarify intruders use a PDF file that masquerades as a legitimate document hosted on OneDrive. Prospective victims are lured into clicking an “Access Document” button embedded within the PDF, which initiates a chain of malicious events.

The Ov3r_Stealer infection chain is a sophisticated cyber system designed to compromise systems and steal sensitive data. Being a rather classic infostealer, it primarily attracts attention due to the unusual way of propagation. It begins with deceptive tactics, ensuring persistence for data collection and stolen crypto. The infection chain is next:

1. Initial Access

To direct the victim to the surprise PDF, a fake Facebook account posing as Amazon CEO Andy Jassy is created with a link to OneDrive. After clicking “Access Document” from the Facebook page, a .url file is downloaded, which starts the second step.

2. Payload Downloading

After clicking on the Access Document button, the victim is taken to a .url file to download. It is masquerading as a legitimate ‘DocuSign’ document. The .url file directs to an IP address with a pdf2.cpl file inside the data2.zip archive on the remote host. Since this is a Windows Panel (.cpl) file, Windows allows this operation. Further, the final payload of this malware is also targeted at Windows-based systems.

3. Additional Loaders

At this stage, the malware may utilize additional loaders or components to further execute and propagate. The loaders are used to facilitate the installation and execution of the final payload, allowing the malware to function efficiently and effectively in the compromised environment.

4. Final Payload

There are three files that make up the final payload, and each loader stage brings them in: WerFaultSecure.exe, Wer.dll, Secure.pdf. Once executed, the malware will establish persistence to ensure it is always running and exfiltrate specific data to a monitored Telegram channel.

5. Gaining Persistence

To ensure its continued presence and operation within the compromised system, the malware establishes persistence mechanisms. This may involve modifying system settings, creating registry entries, or scheduling tasks to ensure that the malware remains active and operational even after system reboots or security scans.

6. System Surveillance & Data Collection

Once established within the compromised system, the malware begins collecting sensitive data and discovering valuable information. This stage may involve scanning the infected device for credentials, cryptocurrency wallets, and other valuable data, as well as identifying potential targets for further exploitation.

7. Data Exfiltration

The final stage of the malware operation involves exfiltrating stolen data from the compromised system to external servers or channels controlled by the attackers. This may include transmitting sensitive information such as credentials, financial data, or proprietary information to remote locations, enabling the attackers to harvest and exploit it for nefarious purposes.

Similarities with Phemedrone Stealer

Experts note that Ov3r_Stealer shares some similarities with another stealer malware called Phemedrone Stealer, which we covered recently. Both malware use the same GitHub repository (nateeintanan2527) and the same infection chain involving PDF files, URL files, CPL files, and PowerShell loaders. They also exploit the same Microsoft Windows Defender SmartScreen bypass flaw (CVE-2023-36025) to evade detection. There is actually one more malicious program that exploits the same SmartScreen Vulnerability, dubbed Mispadu – check out our report.

The only serious difference between the subject and a Phemedrone is that the latter is written in C#, while Ov3r_Stealer is written in C++. The report suggests that Phemedrone may have been re-purposed and renamed to Ov3r_Stealer by the same or different threat actors. Either way, such similarities are rarely a coincidence in the malware world.

How to Protect Against Malware in Ads?

Malware that spreads through advertisements is nothing new, thus the recommendations and effective counteraction measures are well elaborated. As major ad providers struggle (or are unwilling) to filter malicious ads, the best option is to avoid interacting with them at all. If the thing from the banner attracted your attention, it is better to go check it by yourself. Benign advertisers always mention their website either on the banner or in the description, so you won’t get lost there.

A more reactive though more reliable and relaxed approach is using advanced anti-malware software. Stealer malware rely on stealthiness, but they can barely disguise their malignant activity – and here is where heuristic detection shines. With its advanced Proactive Protection mode, GridinSoft Anti-Malware will be able to prevent malware infections at their very beginning.

The post Ov3r_Stealer Steals Crypto and Credentials, Exploits Facebook Job Ads appeared first on Gridinsoft Blog.

How does malvertising work?

Malvertising is an attack where malicious code is inserted into legitimate online advertising networks. This code usually leads users to harmful websites.

Some malicious actors create fake websites that mimic legitimate software sites, using tactics like typosquatting (using misspelled versions of well-known brand and company names as their URL) or combosquatting (combining popular names with random words for their URL). This makes the fake sites appear legitimate to unsuspecting users, as their domain names reference the original software or vendor. The fake web pages are designed to look identical to the real ones, and the threat actors pay to promote the site through search engines to boost its visibility.
Fake WinRar ad on Google

Google has a vast user base, processing over 8 billion daily queries. This makes their search results one of the largest advertising networks available. Unfortunately, a single malicious ad can potentially be viewed by millions of people, causing thousands to click on it. The situation worsens exponentially when at least ten topics contain negative Google ads.

BatLoader as malware loader

BatLoader is a type of malware that enables cybercriminals to download more advanced and harmful malware onto a targeted system. The batch script can download two specific types of malware: IcedID, and Gozi/Ursnif, a backdoor.

It’s worth noting that the BatLoader campaign is still using malvertising, unlike IcedID. What’s particularly interesting is that there has been a shift in the type of users being targeted. While malicious ads previously targeted those searching for IT tools in late 2022 and early 2023, more recent campaigns now use AI-related lures to target users searching for devices such as Midjourney and ChatGPT.

IcedID Malware

IcedID (a.k.a BokBot) is a type of malware that was first discovered in 2017 and classified as both a banking Trojan and a remote access Trojan (RAT). Experts say IcedID is as powerful as other advanced banking Trojans like Zeus, Gozi, and Dridex. To infect a system, IcedID relies on other malware like Emotet to get initial access. Once it’s in, IcedID can steal financial information and even drop malware like ransomware. It’s also capable of moving through a network with ease.

The group called Shatak often sends phishing emails to spread malware called IcedID. They attach Microsoft Office documents with macros, .iso files, or encrypted .zip archives. Once the malware infects a system, it searches for the best way to spread and gain control. It does this by looking for a way to install itself without being detected and then waits for the system to reboot before activating its main module. By doing this, IcedID can blend in with legitimate processes, making it harder to detect.

Gozi backdoor/banking trojan

URSNIF, the malware known as Gozi that attempts to steal online banking credentials from victims’ Windows PCs, is evolving to support extortionware. This banking trojan has been around since the mid-2000s and is one of the oldest. It has multiple variants and has been known by names such as URSNIF, Gozi, and ISFB. These are the most effective methods for protecting yourself from attack: encountering other malware families, and its source code has been leaked twice since 2016. According to malware analysts, it is now considered a “set of related siblings” rather than a single malware family.

Malware Mitigation and Prevention

Detecting and mitigating malvertising attacks can be challenging, and both end users and publishers must take action to combat this threat. Implementing a comprehensive cybersecurity program at the enterprise level is the best way to protect against malvertising. Organizations can reduce their risk of falling victim to these attacks by taking appropriate precautions.

These are the most effective methods for protecting yourself from attack:

• Antivirus software can protect certain types of threats, such as drive-by downloads or malicious code that malvertising may execute.
• Ad blockers can provide adequate protection against malvertising since they block all ads and their potentially harmful components.
• By updating your browser and plugins, you can prevent numerous malvertising attacks, especially the ones that occur before the user clicks on an advertisement.
• It is recommended to prioritize critical systems and implement Zero Trust solutions whenever feasible.
• Implementing multi-factor authentication for all essential services, particularly online banking and cryptocurrency accounts, is advisable.
• It is recommended to conduct user awareness training to educate employees about phishing techniques. Additionally, it is advisable to establish standard operating procedures (SOPs) for dealing with suspicious emails and documents.

Knowing standard social engineering tactics like phishing and malspam techniques to detect malware attacks is essential. While network traffic analysis can help see known versions of malware after infection, developers frequently update their malware with new methods to evade detection. This makes reliably detecting malware infections difficult without advanced endpoint protection products.

The post Gozi and IcedID Trojans Spread via Malvertising appeared first on Gridinsoft Blog.

Operators Distributing Ransomware Disguised as WinSCP

Researchers acknowledged that BlackCat operators were using malicious ads to distribute fraudulent WinSCP file transfer application installers. In this case, the distribution involved a Web page for the well-known WinSCP application, an open-source Windows file transfer application. In a nutshell, attackers use SEO poisoning to spread malware through online advertisements. They hijack a select set of keywords to display phishing site ads on Bing and Google search results pages. These ads redirect unsuspecting users to a phishing copy of the original web page.

Thus, scammers try to make users download the malware masked as a legitimate app. However, the victim gets a backdoor containing a Cobalt Strike beacon instead of a legitimate WinSCP app. The backdoor, in turn, connects to a remote server for subsequent operations. It also uses legitimate tools like AdFind to facilitate network discovery. Attackers use the access granted by Cobalt Strike to download programs to perform reconnaissance, tallying, lateral movement, antivirus software circumvention, and data exfiltration. That tactic is aimed at infecting corporate users – a pretty unique approach when it comes to ransomware spreading methods.

According to the researchers, the attackers managed to steal top-level administrator privileges, which allowed them to perform post-exploitation actions. In addition, they tried to set up persistence with remote management tools such as AnyDesk and gain access to backup servers. Unfortunately, this is not an isolated case but rather a trend. We’ve already told you how attackers use the Google Ads platform to spread malware.

What Is BlackCat Ransomware?

BlackCat is a dangerous malware strain that emerged in November 2021. It is operated by a Russian-speaking cybercrime group called ALPHV. It is the first significant malware written in the Rust programming language and can attack Windows and Linux systems. BlackCat uses a triple-extortion tactic in its ransomware campaigns, targeting various industries, including finance, manufacturing, and legal services. It has compromised around 200 enterprise organizations between November 2021 and September 2022 and is related to other ransomware variants such as BlackMatter and DarkSide.

BlackCat gang is known for being pretty radical when it comes to data leaks. Once the company they’ve attacked refuses to pay, hackers open access to all the extracted data. And contrary to other ransomware gangs, ALPHV/BlackCat does this on the clear web website. In the past year, they exposed a huge number of people by publishing data extracted from Allison Resort and University of Pisa.

General recommendations

As for organization-level protection, there’s a whole set of recommendations that organizations that care about security for themselves and their customers take for granted. A detailed understanding of attack scenarios enables organizations to identify vulnerabilities that can lead to compromise and critical damage and take the necessary steps to prevent them. However, what about individual users? Here we recommend following these simple but effective tips:

• Be extremely careful when searching for and downloading necessary programs from the Internet.
• Do not click on advertising links on the search page.
• Use ad blockers
• Use a trusted antimalware program

Following these rules will minimize the chances of compromising personal computers and workstations, or corporate devices.

The post BlackCat Ransomware Employs Malvertising In Targeted Attacks appeared first on Gridinsoft Blog.

What is malvertising in Google Search?

First, let’s check out key definitions, as they may be unfamiliar to some users. Malvertising is a shortening from “malicious advertising”, which says for itself pretty well. Ads in Google Search, on the other hand, are trusted, as they carry the name of the biggest search engine. Days before, they proved to have a robust check-up mechanism that weeded out potentially harmful things from search results. Things have changed around the last few months, exactly, in November 2022. Malicious ads that tried to mimic downloading pages of legitimate tools filled the search results, often dumping the genuine page to the 4-5th position in results.

As Microsoft tightens loose ends and macro-based malware droppers become more difficult for Threat Actors to leverage – data traffickers are increasingly abusing SEO poisoning and/or malvertising.

Intel via @malwrhunterteam & @wdormann pic.twitter.com/iKy7yEN3g2

— vx-underground (@vxunderground) January 18, 2023

These links generally try to fake not only the header of a page but also the URL address. They include the name of a program, and a couple of keywords to look legitimate. Words may be added through a dash symbol, or as a second-level domain. The top-level domain, meanwhile, is usually something cheap, like .click or .top. Such TLDs cost around a dollar, and usually require no documents to register. More expensive domains, like a classic .com, may be used as well, so don’t accept them as a quality mark.

Some fake advertisements may include a so-called domain cloaking. The starting URL will be 100% legitimate, like youtube.com or twitter.com. Once you click, a cloaking mechanism will trigger, and throw you to a site that is completely different from the one you were seeing in the URL bar. This approach is more about tricking people into calling fake support or installing “a recommended security tool”.

Generally, malicious ads appear on search queries related to popular free programs. By now I found malicious ads for the following programs and software packages:

• Blender
• VLC Player
• Oracle VM VirtualBox
• Notepad ++
• LibreOffice
• Capcut
• OBS Studio
• CCleaner
• WinRAR
• Rufus
• Adobe products
• Zoom Video
• AMD and nVidia drivers
• Python libraries

Why do they appear?

First and foremost reason for the appearance of these ads is poor control of advertising content by Google. Sure, the company is not a vice squad, and should not retain the utterly high quality of advertising. But it is subpar for the image of such a company to allow purely fake ads to be posted, especially at top search result positions. Some time before, the same “pandemic” happened on YouTube. Massive amounts of copy-paste scam charity fund advertisements, giveaways, fake promotions of a new iPhone/Samsung with 80% discount – they were not just of low quality or unconvincing. All these things point to some serious problems within Google’s team that is in order for reviewing advertisements to post.

Another side of the coin is scoundrels who actually organise this mess. Most of the time, events of this sort are aimed at spreading malware. The more such methods are available, the more sustainable the hackers’ “business”. At the edge of 2022, Microsoft finally banned the execution of macros that come from the Internet. Macros are MS Office applets that allow dynamically-updated content to the documents. The breaches in the mechanism used to handle them are so easy to exploit that hackers were using it massively to drop the malware payload. After that ban, crooks started searching for another remedy for their shady deeds. And Google Search ads happened on their way.

Is Google Search malvertising dangerous?

Google has immense user coverage. With over 8 billion queries a day, it makes search results probably one of the biggest advertising networks under the sun. One malicious ad may be seen by millions, and thousands will click it. When there are at least 10 topics that contain malicious Google ads – things go worse by orders of magnitude.

Last night my entire digital livelihood was violated.

Every account connected to me both personally and professionally was hacked and used to hurt others.

Less importantly, I lost a life changing amount of my net worth

— NFT God (@NFT_GOD) January 15, 2023

Above you may see a sad story of a Twitter user with the nickname NFT God, who got some serious damage after being baited to download OBS Studio via such a fake link.

As research shows, most of the time malware that is delivered after following that link aims at stealing data. The file you are offered to download is not malware itself, it is a malignant script whose sole purpose is to contact the C&C server. It, in turn, sends malware to your device, using a connection that the script has established. Spyware that arrives in such a way will give no chance to your privacy. Ransomware is yet another malware type that may arrive through such an approach.

Other possible instances of Google Search malvertising contain tech support scam offers. That is the case when a group of rascals imposes legit tech support. They usually take the name of Microsoft, and the banners usually contain “urgent security note from Microsoft”. Such a note says your PC is either blocked or flooded with malware, and you need to contact their “support” urgently. The number posted on the banner leads you to a scam tech support that will force you to either give remote access to your PC or install a questionable program “to clean the system”.

How to protect me from Google Search malvertising?

Google used to pay a lot of attention to its ads. Possibly, it just has some problems with retaining concentration, thus the problem will be fixed pretty quickly. But it is always better to hope for the best and be ready for the worst.

• Avoid advertisements in Google Search. Even if you see them having a link to a legit site, it is not always representative of where it will send you. When the top search results consist generally of ads, scroll down to find the links to genuine pages.
• Use a different search engine. Being the biggest search engine does not always mean having outstanding search results. Some people prefer DuckDuckGo because of its claims about being free of tracking and telemetry. However, it may fit the case of fishy ads in Google Search as well. You are free to try any of the ones present on the market.
• Apply using decent anti-malware software. Only by having a tool that can effectively say if the file you’ve got from the Internet is clear or malicious will you be sure about your actions. Having one which is able to block access to malicious sites will seriously mitigate the problem. GridinSoft Anti-Malware is the one that can fulfill both needs – malware detection and network security. Constant database updates allow it to retain efficiency even against the latest threats.

The post Google Search Malvertising: Fake Ads of Free Programs in Google Ads appeared first on Gridinsoft Blog.