Malvertising Campaign Exploits Trojanized Installers for Popular Software
In a concerning development, a malvertising campaign has been identified that is leveraging trojanized installers for popular software, including Google Chrome and Microsoft Teams. The campaign involves the use of lookalike websites that host malicious payloads and redirect unsuspecting users after they search for legitimate software on search engines like Google and Bing. This article will delve into the details of this campaign, the backdoor called Oyster that is being dropped, and the tactics employed by the threat actors.
The attack begins when users are lured to fake websites that claim to offer legitimate software downloads. However, attempting to download the setup binary from these websites instead initiates a malware infection chain. The executable serves as a pathway for the Oyster backdoor, which is capable of gathering information about the compromised host, communicating with a hard-coded command-and-control (C2) address, and supporting remote code execution.
It is worth noting that the Oyster backdoor has been observed in the past being delivered through a dedicated loader component known as Broomstick Loader. But in the latest attack chains, the backdoor is directly deployed. Oyster is believed to be associated with ITG23, a Russia-linked group infamous for the TrickBot malware. This group has a reputation for deploying sophisticated malware and conducting financially motivated attacks.
After the execution of the Oyster malware, the attackers install the legitimate Microsoft Teams software on the compromised system. This step is aimed at deceiving users and avoiding raising suspicion. Additionally, Rapid7, the cybersecurity firm that discovered the campaign, observed the malware being used to spawn a PowerShell script responsible for setting up persistence on the infected system. This could allow the attackers to maintain access to the compromised system even after a reboot, making it harder for victims to remove the malware.
Unfortunately, this malvertising campaign is not an isolated incident. Another cybercrime group known as Rogue Raticate, also known as RATicate, has been implicated in an email phishing campaign that utilizes PDF decoys to trick users into clicking on a malicious URL. The URL leads the victims to download the notorious NetSupport RAT, a remote access trojan that gives the attackers complete control over infected systems.
In yet another alarming development, a new phishing-as-a-service (PhaaS) platform called the ONNX Store has emerged. This platform allows customers to orchestrate phishing campaigns by embedding QR codes in PDF attachments. These QR codes lead victims to credential harvesting pages, where their login information is stolen. Additionally, the ONNX Store offers bulletproof hosting and remote desktop protocol (RDP) services via a Telegram bot, further facilitating cybercriminal activities.
What sets the ONNX Store apart is its use of encrypted JavaScript embedded in the URLs distributed through phishing campaigns. During page load, this JavaScript is decoded to collect victims’ network metadata and intercept two-factor authentication (2FA) requests. The phishing pages created by the ONNX Store cleverly mimic the login interfaces of Microsoft 365, tricking targets into entering their authentication details.
These recent incidents highlight the evolving tactics and techniques used by cybercriminals to carry out malicious campaigns. The use of trojanized installers and deceptive websites demonstrates that attackers are becoming increasingly sophisticated in their efforts to infect systems and compromise sensitive information. It is crucial for users and organizations to remain vigilant, keep their software up to date, and adopt security measures such as implementing strong passwords and multi-factor authentication.
In conclusion, the malvertising campaign leveraging trojanized installers for popular software is a concerning development in the cybersecurity landscape. The deployment of the Oyster backdoor and the use of lookalike websites highlight the need for increased awareness and proactive security measures. As cybercriminals continue to refine their tactics, it is vital for users and organizations to stay informed about emerging threats and take appropriate steps to protect themselves against potential attacks.
Source link