New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers

A new malvertising campaign has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z. "This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure and cloaking templates used to avoid detection," Malwarebytes' Jérôme Segura said. While malvertising campaigns are known to set up replica sites advertising widely-used software, the latest activity marks a deviation in that the website mimics WindowsReport[. The goal is to trick unsuspecting users searching for CPU-Z on search engines like Google by serving malicious ads that, when clicked, redirect them to the fake portal. At the same time, users who are not the intended victims of the campaign are served an innocuous blog with different articles, a technique known as cloaking. The signed MSI installer that's hosted on the rogue website contains a malicious PowerShell script, a loader known as FakeBat, which serves as a conduit to deploy RedLine Stealer on the compromised host. "It is possible the threat actor chose to create a decoy site looking like Windows Report because many software utilities are often downloaded from such portals instead of their official web page," Segura noted. This is far from the first time deceptive Google Ads for popular software have turned out to be a malware distribution vector. Last week, cybersecurity firm eSentire disclosed details of an updated Nitrogen campaign that paves the way for a BlackCat ransomware attack. Two other campaigns documented by the Canadian cybersecurity firm show that the drive-by download method of directing users to dubious websites has been leveraged to propagate various malware families like NetWire RAT, DarkGate, and DanaBot in recent months. The development comes as threat actors continue to increasingly rely on adversary-in-the-middle phishing kits such as NakedPages, Strox, and DadSec to bypass multi-factor authentication and hijack targeted accounts. To top it all, eSentire also called attention to a new method dubbed the Wiki-Slack attack, a user-direction attack that aims to drive victims to an attacker-controlled website by defacing the end of the first para of a Wikipedia article and sharing it on Slack. Specifically, it exploits a quirk in Slack that "Mishandle[s] the whitespace between the first and second paragraph" to auto-generate a link when the Wikipedia URL is rendered as a preview in the enterprise messaging platform. It's worth pointing out that a key prerequisite to pulling off this attack is that the first word of the second paragraph in the Wikipedia article must be a top-level domain and that the two paragraphs should appear within the first 100 words of the article. With these restrictions, a threat could weaponize this behavior such that the way Slack formats the shared page's preview results points to a malicious link that, upon clicking, takes the victim to a booby-trapped site. "If one does not have ethical guardrails, they can augment the attack surface of the Wiki-Slack attack by editing Wikipedia pages of interest to deface it," eSentire said.

This Cyber News was published on thehackernews.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000


Cyber News related to New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers

New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers - A new malvertising campaign has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z. "This incident is a part of a larger malvertising ...
1 year ago Thehackernews.com
FakeBat delivered via several active malvertising campaigns - February was a particularly busy month for search-based malvertising with the number of incidents we documented almost doubling. We saw similar payloads being dropped but also a few new ones that were particularly good at evading detection. One ...
9 months ago Malwarebytes.com
The Surge of FakeBat Malware in Search-Based Malvertising Campaigns - In recent months, cybersecurity researchers have observed a concerning surge in search-based malvertising campaigns, with documented incidents nearly doubling compared to previous periods. Amidst this uptick in online threats, one particular malware ...
9 months ago Cysecurity.news
FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection - An ongoing malvertising campaign is being used to distribute virtualized. NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion ...
1 year ago Thehackernews.com
Fake Browser Updates Targeting Mac Systems With Infostealer - A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems. Experts say this could be the ...
1 year ago Darkreading.com
Fake browser updates spread updated WarmCookie malware - The latest campaign was discovered by researchers at Gen Threat Labs, who observed the WarmCookie backdoor being distributed as fake Google Chrome, Mozilla Firefox, Microsoft Edge, and Java updates. FakeUpdate is a cyberattack strategy used by a ...
2 months ago Bleepingcomputer.com
Arc browser's Windows launch targeted by Google ads malvertising - A new Google Ads malvertising campaign, coinciding with the launch of the Arc web browser for Windows, was tricking people into downloading trojanized installers that infect them with malware payloads. The Arc browser is a new web browser featuring ...
6 months ago Bleepingcomputer.com
Fake KeePass site uses Google Ads and Punycode to push malware - A Google Ads campaign was found pushing a fake KeePass download site that used Punycode to appear as the official domain of the KeePass password manager to distribute malware. Google has been battling with ongoing malvertising campaigns that allow ...
1 year ago Bleepingcomputer.com
Malvertisers zoom in on cryptocurrencies and initial access - While Zoom is used by millions of people around the world, these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks. The threat actors are using a number of ...
1 year ago Malwarebytes.com
New Web injections campaign steals banking data from 50,000 people - A new malware campaign that emerged in March 2023 used JavaScript web injections to try to steal the banking data of over 50,000 users of 40 banks in North America, South America, Europe, and Japan. IBM's security team discovered this evasive threat ...
1 year ago Bleepingcomputer.com
CVE-2008-7092 - Multiple cross-site scripting (XSS) vulnerabilities in Unica Affinium Campaign 7.2.1.0.55 allow remote attackers to inject arbitrary web script or HTML via a Javascript event in the (1) url, (2) PageName, and (3) title parameters in a ...
7 years ago
Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors - Earlier this year, Mandiant's Managed Defense threat hunting team identified an UNC2975 malicious advertising campaign promoting malicious websites themed around unclaimed funds. In each investigation under this campaign, Mandiant identified browser ...
1 year ago Mandiant.com
Pig Butchering: Fake Trading Apps Target Crypto on Apple, Google Play Stores - Pig Butchering scam targets crypto users with fake trading apps on Apple and Google Play Stores. These apps, found on Apple’s App Store and Google Play, and on phishing sites, are part of a Pig Butchering scam targeting cryptocurrency investors ...
2 months ago Hackread.com
Russian Cyberattackers Launch Multiphase PsyOps Campaign - Russia-linked threat actors employed both PysOps and spear-phishing to target users over several months at the end of 2023 in a multiwave campaign aimed at spreading misinformation in Ukraine and stealing Microsoft 365 credentials across Europe. The ...
9 months ago Darkreading.com
Windows 10 Extended Security Updates Promised for Small Businesses and Home Users - Already common for enterprises, for the first time, individuals will also get the option to pay for extended security updates for a Windows operating system that's out of support. Windows 10 will stop getting free updates, including security fixes, ...
1 year ago Techrepublic.com
Hackers Abused Microsoft's "Verified Publisher" OAuth Apps to Hack Corporate Email Accounts - Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations' cloud environments and steal email. ...
1 year ago Thehackernews.com
Qbot malware returns in campaign targeting hospitality industry - The QakBot malware is once again being distributed in phishing campaigns after the botnet was disrupted by law enforcement over the summer. In August, a multinational law enforcement operation called Operation Duck Hunt accessed the QakBot admin's ...
1 year ago Bleepingcomputer.com
Fake IT support sites push malicious PowerShell scripts as Windows fixes - First discovered by eSentire's Threat Response Unit, the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator. In particular, the threat actors are creating fake ...
5 months ago Bleepingcomputer.com
Cybercriminals expand targeting of Iranian bank customers with known mobile malware - Researchers have uncovered more than 200 fake mobile apps that mimic major Iranian banks to steal information from their customers. The campaign was first discovered in July of this year, but since then, the cybercriminals have expanded their ...
1 year ago Therecord.media
AI Threat Scenario, GuLoader, DarkGate, MirrorBlast, Kutaki Stealer and More - In this version of the Hacker's Playbook Threat Coverage round-up, we are highlighting attack coverage for newly discovered or analyzed threats, including a newly created scenario that leverages AI Generated malware. McAfee Labs researchers recently ...
6 months ago Securityboulevard.com
The Fake Browser Update Scam Gets a Makeover - One of the oldest malware tricks in the book - hacked websites claiming visitors need to update their Web browser before they can view any content - has roared back to life in the past few months. New research shows the attackers behind one such ...
1 year ago Krebsonsecurity.com
How Kasada Counters Toll Fraud and Fake Account Creation for Enterprises - Toll fraud and fake account creation are two advanced threats that bad actors employ for massive profit. Fake Account Creation is committed by a wide range of attackers, through automating the generation of new user accounts en masse, which then get ...
1 year ago Securityboulevard.com
Threat Group Using Rare Data Transfer Tactic in New RemcosRAT Campaign - A threat actor known for repeatedly targeting organizations in Ukraine with the RemcosRAT remote surveillance and control tool is back at it again, this time with a new tactic for transferring data without triggering endpoint detection and response ...
11 months ago Darkreading.com
Attackers Targeting Recruiters With More_Eggs Backdoor - FIN6 has been known in the past to pose as recruitment officers to target job seekers, but it appears to be "moving from posing as fake recruiters to now masquerading as fake job applicants" in a shift in tactics, Trend Micro researchers ...
2 months ago Darkreading.com
macOS Malware Campaign Showcases Novel Delivery Technique - Security researchers have sounded the alarm on a new cyberattack campaign using cracked copies of popular software products to distribute a backdoor to macOS users. What makes the campaign different from numerous others that have employed a similar ...
10 months ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)