[ad_1]
A sequence of malicious campaigns have been leveraging pretend installers of fashionable apps and video games akin to Viber, WeChat, NoxPlayer, and Battlefield as a lure to trick customers into downloading a brand new backdoor and an undocumented malicious Google Chrome extension with the purpose of stealing credentials and knowledge saved within the compromised techniques in addition to sustaining persistent distant entry.
Cisco Talos attributed the malware payloads to an unknown actor that goes by the alias “magnat,” noting that “these two households have been topic to fixed growth and enchancment by their authors.”
The assaults are believed to have commenced in late 2018, with intermittent exercise noticed in direction of the top of 2019 and thru early 2020, adopted by recent spikes since April 2021, whereas primarily singling out customers in Canada, adopted by the U.S., Australia, Italy, Spain, and Norway.
A noteworthy facet of the intrusions is using malvertising as a method to strike people who’re searching for fashionable software program on engines like google to current them hyperlinks to obtain pretend installers that drop a password stealer referred to as RedLine Stealer, a Chrome extension dubbed “MagnatExtension” that is programmed to file keystrokes and seize screenshots, and an AutoIt-based backdoor that establishes distant entry to the machine.
MagnatExtension, which masquerades as Google’s Secure searching, additionally packs different options which are of use to the attackers, together with the flexibility to steal kind knowledge, harvest cookies, and execute arbitrary JavaScript code. Telemetry knowledge analyzed by Talos has revealed that the first-ever pattern of the browser add-on was detected in August 2018.
The extension’s command-and-control (C2) communications stand out as effectively. Whereas the C2 handle is hard-coded, it may also be up to date by the present C2 with an inventory of further C2 domains. However within the occasion of failure, it falls again to an alternate technique that entails acquiring a brand new C2 handle from a Twitter seek for hashtags like “#aquamamba2019” or “#ololo2019.”
The area identify is then constructed from the accompanying tweet textual content by concatenating the primary letter of every phrase, that means “Squishy turbulent areas terminate energetic spherical engines after dank years. Industrial creepy models” turns into “stataready[.]icu.” As soon as an energetic C2 server is on the market, the vacuumed knowledge is exfiltrated within the type of an encrypted JSON string within the physique of an HTTP POST request, the encryption key to which is hard-coded within the decryption operate.
“Primarily based on using password stealers and a Chrome extension that’s much like a banking trojan, we assess that the attacker’s targets are to acquire consumer credentials, presumably on the market or for his personal use in additional exploitation,” Cisco Talos researcher Tiago Pereira stated.
“The motive for the deployment of an RDP backdoor is unclear. The most definitely are the sale of RDP entry, using RDP to work round on-line service security measures primarily based on IP handle or different endpoint put in instruments or using RDP for additional exploitation on techniques that seem fascinating to the attacker.”
[ad_2]
