Hackers use online ads for fake versions of popular software to trick users into downloading three forms of malware - including a malicious browser extension with the same capabilities as a trojan malware - that give attackers usernames and passwords, as well as backdoor passwords. access to infected Windows PCs.
The attacks, which distribute two seemingly unsubstantiated forms of custom malware, were reported in detail by cybersecurity researchers at Cisco Talos, who called the campaign a "magnate." It seems that the campaign has been operating since 2018 and the malware is constantly evolving.
More than half of the victims are in Canada, but there have been casualties around the world, including in the United States, Europe, Australia and Nigeria.
Researchers believe that victims are tricked into downloading malware through malvertising - malicious web ads - that trick them into downloading fake popular software installers to their systems. Users are likely to seek out legitimate versions of the software, but are targeted to malicious versions through advertising.
What does this software that deceives users include? Fake versions of messaging apps like Viber and WeChat, as well as fake installers for popular video games like Battlefield.
The installer does not install the advertised software, but instead installs three types of malware - a password stealer program, a backdoor and a malicious browser extension, which allows keylogging and screenshots of what the infected user is seeing.
The password stealer distributed in the attacks is known as Redline, a relatively common malware that steals all usernames and passwords found on the infected system. The Magnat campaign in the past distributed a different password stealer, Azorult. The change to Redline was probably made because Azorult, like many other forms of malware, stopped working properly after the release of Chrome 80 in February 2020.
While password stealers are both off-the-shelf malware, the undocumented backdoor installer - which the researchers named MagnatBackdoor - seems to be a more customized form of malware being distributed since 2019, although there are times when distribution has stopped for months.
The MagnatBackdoor configures the infected Windows system to allow access to the Remote Desktop Protocol (RDP). Adds a new user and programs the system to ping a command and control server that is executed by attackers at regular intervals. The backdoor allows intruders to secretly gain remote access to the computer when needed.
The third payload is a download program for a malicious extension of Google Chrome, which researchers named MagnatExtension. The extension is provided by intruders and does not come from the Chrome Extension Store.
This extension contains various means of stealing data directly from the web browser, including payload retrieval, cookie theft, theft of information entered into forms, and a keylogger, which records everything a user enters in the browser. All this information is then sent to the attackers.
Researchers have likened the possibilities of expansion to a banking trojan. They state that the ultimate goal of malware is to obtain user credentials, either for sale on the dark web or for further exploitation by intruders. The cybercriminals behind MagnatBackdoor and MagnatExtension have spent years developing and updating malware and this is likely to continue.
Source of information: zdnet.com