A brand new malvertising marketing campaign has been discovered to make use of faux websites that masquerade as official Home windows information portal to propagate a malicious installer for a preferred system profiling software known as CPU-Z.
“This incident is part of a bigger malvertising marketing campaign that targets different utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domains) and cloaking templates used to keep away from detection,” Malwarebytes’ Jérôme Segura mentioned.
Whereas malvertising campaigns are recognized to arrange duplicate websites promoting widely-used software program, the most recent exercise marks a deviation in that the web site mimics WindowsReport[.]com.
The purpose is to trick unsuspecting customers looking for CPU-Z on search engines like google like Google by serving malicious adverts that, when clicked, redirect them to the faux portal (workspace-app[.]on-line).
On the similar time, customers who should not the supposed victims of the marketing campaign are served an innocuous weblog with totally different articles, a method often called cloaking.
The signed MSI installer that is hosted on the rogue web site incorporates a malicious PowerShell script, a loader often called FakeBat (aka EugenLoader), which serves as a conduit to deploy RedLine Stealer on the compromised host.
“It’s potential the menace actor selected to create a decoy web site wanting like Home windows Report as a result of many software program utilities are sometimes downloaded from such portals as a substitute of their official net web page,” Segura famous.
That is removed from the primary time misleading Google Adverts for widespread software program have turned out to be a malware distribution vector. Final week, cybersecurity agency eSentire disclosed particulars of an up to date Nitrogen marketing campaign that paves the best way for a BlackCat ransomware assault.
Two different campaigns documented by the Canadian cybersecurity agency present that the drive-by obtain methodology of directing customers to doubtful web sites has been leveraged to propagate varied malware households like NetWire RAT, DarkGate, and DanaBot in current months.
The event comes as menace actors proceed to more and more depend on adversary-in-the-middle (AiTM) phishing kits equivalent to NakedPages, Strox, and DadSec to bypass multi-factor authentication and hijack focused accounts.
To prime all of it, eSentire additionally known as consideration to a brand new methodology dubbed the Wiki-Slack assault, a user-direction assault that goals to drive victims to an attacker-controlled web site by defacing the top of the primary para of a Wikipedia article and sharing it on Slack.
Particularly, it exploits a quirk in Slack that “mishandle[s] the whitespace between the primary and second paragraph” to auto-generate a hyperlink when the Wikipedia URL is rendered as a preview within the enterprise messaging platform.
It is price declaring {that a} key prerequisite to pulling off this assault is that the primary phrase of the second paragraph within the Wikipedia article have to be a top-level area (e.g., in, at, com, or internet) and that the 2 paragraphs ought to seem throughout the first 100 phrases of the article.
With these restrictions, a menace might weaponize this habits such that the best way Slack codecs the shared web page’s preview outcomes factors to a malicious hyperlink that, upon clicking, takes the sufferer to a booby-trapped web site.
“If one doesn’t have moral guardrails, they’ll increase the assault floor of the Wiki-Slack assault by modifying Wikipedia pages of curiosity to deface it,” eSentire mentioned.