A spike in malvertisement has led to intruders thinking more about taking steps towards more complex malware. Lobshot is one of them. Discovered by Elastic Security Lab, the malware has info-stealing capabilities and is used to deploy banking trojans.
What’s it about?
Earlier this year, Elastic Security Labs and the research community detected a significant surge in malvertising usage. Attackers utilized a complex scheme of fake websites via Google Ads and implanted backdoors within seemingly legitimate installers to promote their malware. LOBSHOT was observed during this spike. Despite operating under the radar, LOBSHOT is still able to gather victims.
LOBSHOT’s main feature is its hVNC (Hidden Virtual Network Computing) component, which enables unobserved and direct access to the affected machine. This capability has
- successfully bypassed fraud detection systems
- is often included as a plugin in many popular malware families.
According to Elastic Security Labs: “We will provide a YARA signature and configuration extractor for this malware family. Our analysis revealed infrastructure involved in the well-known cybercrime group TA505, associated with previous campaigns such as Dridex, Locky, and Necurs. We also observed that the same domains used in LOBSHOT were connected to a loader called Get2, as documented by Proofpoint. We have a moderate level of confidence in our assessment that LOBSHOT is a new malware capability being utilized by TA505 since 2022.”
Destructive features at a glance
For the initial strategy of action, look at the Sandbox report. Here’s how it works:
- Dynamic API resolution: the built-in capabilities help it to slow down the identification process
- Defender Emulation check: Performs Windows Defender anti-emulation check by verifying if the computer name matches the string HAL9TH and if the username matches JohnDoe. The code needs to be matched.
- String Obfuscation: Through Bitwise Operators, it hides the encryption process.
- Initial enumeration: Builds complex enumerated data.
- Execution flow: Sends a copy to itself to proofread the action
- Persistence: Continuously checks its targeted device through the communication
- Stealer functionality: With its persistence in designing an attack strategy, it works on stealing information, especially through crypto wallets.
- Strong communication: Sends and receives information every 5 seconds by sending
pseudo-random hard-coded data.
“At this stage, the victim machine will start sending screen captures representing the remote desktop sent to a listening client controlled by the attacker. The attacker interacts with the client by controlling the keyboard, clicking buttons, and moving the mouse; these capabilities provide the attacker full remote control of the device.”
Ponder over
The backdoors like LobShot seem small, but combined with complex attacks, they seem extremely damaging to you and your organization. With unmatched capabilities, such malware proves to be a risk to your identity and financial safety. Beware and keep learning!