A brand new malvertising marketing campaign has been discovered to make use of pretend websites that masquerade as reputable Home windows information portal to propagate a malicious installer for a preferred system profiling instrument referred to as CPU-Z.
“This incident is part of a bigger malvertising marketing campaign that targets different utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domains) and cloaking templates used to keep away from detection,” Malwarebytes’ Jérôme Segura mentioned.
Whereas malvertising campaigns are recognized to arrange reproduction websites promoting widely-used software program, the newest exercise marks a deviation in that the web site mimics WindowsReport[.]com.
The aim is to trick unsuspecting customers looking for CPU-Z on serps like Google by serving malicious advertisements that, when clicked, redirect them to the pretend portal (workspace-app[.]on-line).
On the identical time, customers who are usually not the meant victims of the marketing campaign are served an innocuous weblog with totally different articles, a way often known as cloaking.
The signed MSI installer that is hosted on the rogue web site accommodates a malicious PowerShell script, a loader often known as FakeBat (aka EugenLoader), which serves as a conduit to deploy RedLine Stealer on the compromised host.
“It’s potential the menace actor selected to create a decoy website wanting like Home windows Report as a result of many software program utilities are sometimes downloaded from such portals as an alternative of their official internet web page,” Segura famous.
That is removed from the primary time misleading Google Adverts for in style software program have turned out to be a malware distribution vector. Final week, cybersecurity agency eSentire disclosed particulars of an up to date Nitrogen marketing campaign that paves the best way for a BlackCat ransomware assault.
Two different campaigns documented by the Canadian cybersecurity agency present that the drive-by obtain methodology of directing customers to doubtful web sites has been leveraged to propagate varied malware households like NetWire RAT, DarkGate, and DanaBot in latest months.
The event comes as menace actors proceed to more and more depend on adversary-in-the-middle (AiTM) phishing kits equivalent to NakedPages, Strox, and DadSec to bypass multi-factor authentication and hijack focused accounts.
To prime all of it, eSentire additionally referred to as consideration to a brand new methodology dubbed the Wiki-Slack assault, a user-direction assault that goals to drive victims to an attacker-controlled web site by defacing the tip of the primary para of a Wikipedia article and sharing it on Slack.
Particularly, it exploits a quirk in Slack that “mishandle[s] the whitespace between the primary and second paragraph” to auto-generate a hyperlink when the Wikipedia URL is rendered as a preview within the enterprise messaging platform.
It is value mentioning {that a} key prerequisite to pulling off this assault is that the primary phrase of the second paragraph within the Wikipedia article should be a top-level area (e.g., in, at, com, or internet) and that the 2 paragraphs ought to seem inside the first 100 phrases of the article.
With these restrictions, a menace may weaponize this conduct such that the best way Slack codecs the shared web page’s preview outcomes factors to a malicious hyperlink that, upon clicking, takes the sufferer to a booby-trapped website.
“If one doesn’t have moral guardrails, they’ll increase the assault floor of the Wiki-Slack assault by modifying Wikipedia pages of curiosity to deface it,” eSentire mentioned.
