This malware is spread through bogus downloads.

Cybercriminals use online advertisements for fake versions of the favorite app to trick end users into downloading 3 types of malware, including a destructive browser extension with the same capabilities as a Trojan horse, offering attackers usernames and passwords, as well as remote backdoor access to contaminates. Windows computer system.

The attacks, which distribute two varieties of custom-made and seemingly undocumented malware, were carried out in depth by Cisco Talos cybersecurity scientists, who dubbed the campaign “tycoon.” It looks like the campaign has worked in one way or another since 2018 and the malware is constantly evolving. More than half of the victims are in Canada, but there are also victims all over the planet, be it in the United States, Europe, Australia and Nigeria.

Scientists believe that victims are tricked into downloading the malware by destructive advertisements on the web, which trick them into downloading bogus installers of common software packages onto their techniques. Users are very likely to search for genuine variations of the software, but immediately advertise them to destructive versions.

Fake variants of Viber and WeChat

Among the software consumers are tricked into downloading are fake versions of messaging apps like Viber and WeChat, as well as bogus installers of popular video games like Battlefield. The installer does not configure the advertised software program, but it introduces a few types of malware: a password thief, a backdoor, and a destructive browser extension, which can log keystrokes and take captures. screen of what the infected user sees. .

The password thief distributed in the assaults is considered to be Redline, a fairly widespread malware that steals all the usernames and passwords it finds on the infected process. Tycoon once dispersed an additional password thief, Azorult. Switching to Redline is likely due to the fact that Azorult, like many other types of malware, stopped working properly after Chrome 80 launched in February 2020.

Although password stealers are basic malware out of the box, the so far undocumented backdoor installer, which scientists have dubbed MagnatBackdoor, appears to be a much more individualized type of software. . Malicious malware that has been distributed due to fact 2019, despite the fact that there are situations where the distribution has stopped for months.

Magnat rear door

MagnatBackdoor configures the contaminated Windows Home procedure to allow stealth access to Remote Desktop Protocol (RDP), as well as to include a new consumer and schedule the system to ping a command and management server run by attackers at regular intervals. The backdoor allows attackers to secretly access the personal computer remotely when it is essential.

The third payload is a downloader for a destructive Google Chrome extension, which researchers dubbed MagnatExtension. The extension is provided by attackers and does not come from the Chrome extension vendor.

This extension includes many ways to steal information directly from the internet browser, including the ability to get screenshots, steal cookies, steal entered information in some way, as efficiently as a logger. keystroke, which documents everything users use in the browser. . All of this information and facts are then sent back to the attackers.

banking trojan

Researchers compared the extension’s capabilities to a banking Trojan. They state that the primary purpose of the malware is to gain user credentials, possibly for sale over the Internet or for further exploitation by attackers. The cybercriminals behind MagnatBackdoor and MagnatExtension have used many years to create and update malware and it is very likely that this will continue.

“These two families have been the subject of frequent development and improvement by their authors. This may not be the last time we listen to them,” says Tiago Pereira, security researcher at Cisco Talos.

“We believe these strategies use malicious promotion as a way to reach people who are intrigued by program-related keywords and phrases that exist with hyperlinks to get popular software. This form of threat can be incredibly productive and requires the implementation of different levels of protection controls, such as endpoint security, network filtering and periods of awareness of stability, ”he explains.


Comments are closed.