A brand new malvertising marketing campaign has been discovered to make use of pretend websites that masquerade as respectable Home windows information portal to propagate a malicious installer for a well-liked system profiling instrument known as CPU-Z.
“This incident is part of a bigger malvertising marketing campaign that targets different utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domains) and cloaking templates used to keep away from detection,” Malwarebytes’ Jérôme Segura mentioned.
Whereas malvertising campaigns are recognized to arrange reproduction websites promoting widely-used software program, the most recent exercise marks a deviation in that the web site mimics WindowsReport[.]com.
The purpose is to trick unsuspecting customers looking for CPU-Z on engines like google like Google by serving malicious adverts that, when clicked, redirect them to the pretend portal (workspace-app[.]on-line).
On the identical time, customers who should not the meant victims of the marketing campaign are served an innocuous weblog with completely different articles, a way generally known as cloaking.
The signed MSI installer that is hosted on the rogue web site incorporates a malicious PowerShell script, a loader generally known as FakeBat (aka EugenLoader), which serves as a conduit to deploy RedLine Stealer on the compromised host.
“It’s potential the menace actor selected to create a decoy web site trying like Home windows Report as a result of many software program utilities are sometimes downloaded from such portals as an alternative of their official internet web page,” Segura famous.
That is removed from the primary time misleading Google Advertisements for common software program have turned out to be a malware distribution vector. Final week, cybersecurity agency eSentire disclosed particulars of an up to date Nitrogen marketing campaign that paves the way in which for a BlackCat ransomware assault.
Two different campaigns documented by the Canadian cybersecurity agency present that the drive-by obtain methodology of directing customers to doubtful web sites has been leveraged to propagate varied malware households like NetWire RAT, DarkGate, and DanaBot in current months.
The event comes as menace actors proceed to more and more depend on adversary-in-the-middle (AiTM) phishing kits similar to NakedPages, Strox, and DadSec to bypass multi-factor authentication and hijack focused accounts.
To high all of it, eSentire additionally known as consideration to a brand new methodology dubbed the Wiki-Slack assault, a user-direction assault that goals to drive victims to an attacker-controlled web site by defacing the tip of the primary para of a Wikipedia article and sharing it on Slack.
Particularly, it exploits a quirk in Slack that “mishandle[s] the whitespace between the primary and second paragraph” to auto-generate a hyperlink when the Wikipedia URL is rendered as a preview within the enterprise messaging platform.
It is value stating {that a} key prerequisite to pulling off this assault is that the primary phrase of the second paragraph within the Wikipedia article have to be a top-level area (e.g., in, at, com, or web) and that the 2 paragraphs ought to seem throughout the first 100 phrases of the article.
With these restrictions, a menace may weaponize this habits such that the way in which Slack codecs the shared web page’s preview outcomes factors to a malicious hyperlink that, upon clicking, takes the sufferer to a booby-trapped web site.
“If one doesn’t have moral guardrails, they will increase the assault floor of the Wiki-Slack assault by modifying Wikipedia pages of curiosity to deface it,” eSentire mentioned.
