In another case of threat actors abusing Google Ads to deliver malware, a threat actor has been seen exploiting the technique to deliver a new Windows-based financial and information-stealing Trojan called LOBSHOT.
“LOBSHOT continues to pick up victims while staying under the radar,” Elastic Security Labs researcher Daniel Stepanic said in an analysis published last week.
“One of the core capabilities of LOBSHOT is around its hVNC (Hidden Virtual Network Computing) component. These types of modules allow direct and unobserved access to the machine.”
The American-Dutch company attributed the malware strain to a threat actor known as TA505 based on infrastructure historically connected to the group. TA505 is a financially motivated cybercrime syndicate that overlaps with groups of activity tracked under the names Evil Corp, FIN11, and Indrik Spider.
The latest development is significant because it is a sign that TA505, which is associated with the Dridex banking Trojan, is once again expanding its malware arsenal to perpetrate data theft and financial fraud.
LOBSHOT, with early samples dating back to July 2022, is distributed via rogue Google ads for legitimate tools like AnyDesk that are hosted on a network of lookalike landing pages maintained by operators.
The malware incorporates dynamic import resolution (i.e., resolution of required Windows API names at runtime), anti-emulation checks, and string obfuscation to avoid detection by security software.
Once installed, it makes changes to the Windows Registry to configure persistence and extract data from more than 50 cryptocurrency wallet extensions present in web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.
LOBSHOT’s other notable features revolve around its ability to remotely access the compromised host via an hVNC module and perform actions on it stealthily without attracting the victim’s attention.
“Threat groups continue to take advantage of malvertising techniques to disguise legitimate software with backdoors like LOBSHOT,” Stepanic said.
“These types of malware look small, but they end up incorporating important functionality that helps threat actors move quickly during the initial access stages with fully interactive remote control capabilities.”
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
The findings also highlight how a growing number of adversaries are adopting malicious advertising and SEO poisoning as a technique to redirect users to fake websites and download Trojan installers of popular software .
According to data from eSentire, the threat actors behind GootLoader have been linked to a series of attacks targeting law firms and corporate legal departments in the US, Canada, UK and Australia.
GootLoader, active since 2018 and operating as the initial access-as-a-service operation for ransomware attacks, employs SEO poisoning to lure victims seeking deals and contracts with infected WordPress blogs that point to links that contain malware.
In addition to implementing geofencing to target victims in selected regions, the attack chain is designed so that the malware can only be downloaded once per day from the hijacked sites to avoid detection of those responsible for incidents.
GootLoader’s use of the IP address method to detect already hacked victims, eSentire found, could be used against it to preemptively block end-user IP addresses and prevent organizations from potential infections.
Source link
A recent security breach has been discovered by the cybersecurity firm, Ikaroa. This malicious code, referred to as “A Stealthy, Financial Trojan and Info Stealer Delivered through Google Ads”, has the potential to obtain highly sensitive financial information from unsuspecting victims.
The malicious code was delivered through Google Ads, and is capable of stealing personal and financial information from victims’ phones or computers. It can also be used for further malicious activities such as the issuing of fraudulent credit cards, unauthorized payments made to bank accounts, or in extreme cases even the theft of identity.
The occurrence of this type of attack is becoming increasingly more frequent, as more companies are taking advantage of digital marketing platforms such as Google Ads. Cybercriminals are taking advantage of vulnerable systems and lack of resources to deploy malicious code.
This is yet another reminder that online security is an extremely important issue. Companies and individuals are urged to be vigilant and to use precautionary measures when engaging in online activities such as online banking, online shopping, and online communication. Most importantly, people should be aware of what clicks they make, as clicking a single malicious advertisement can lead to identity theft.
In response to this threat, the cybersecurity firm, Ikaroa, is developing a suite of solutions designed to provide cybersecurity professionals and consumers with the knowledge and resources necessary to prevent and reduce the likelihood of being a target of this type of attack. These solutions include malware detection and threat detection, data encryption, and user policies and practices.
Through these solutions, Ikaroa aims to ensure that all users are aware of the risks associated with online activities and have the tools necessary to protect themselves from malicious activity. By having a comprehensive security strategy in place and promoting cyber security awareness, Ikaroa is working to build a trusted and secure digital world.
