Thursday, March 28, 2024
HomeSECURITYNew campaign spreads malware under the guise of Viber and WeChat

New campaign spreads malware under the guise of Viber and WeChat

-

explain how malware spreads

Alexander Antipov

Hackers trick users into downloading the backdoor and malicious extension for the Google Chrome browser.

New campaign spreads malware under the guise of Viber and WeChat

Cisco Talos specialists reported a series of malicious campaigns using fraudulent advertising. Criminals used fake installers of popular apps and games such as Viber, WeChat, NoxPlayer and Battlefield as decoys to trick users into downloading the backdoor and malicious extension for the Google Chrome browser. Malware allows hackers to steal credentials and gain permanent remote access on compromised systems.

Cisco Talos has linked the campaigns to a previously unknown group tracked by experts called Magnat. As noted by the experts, “these two malware families have been constantly evolving and improving by their authors.”

The attacks allegedly began in late 2018 and continued intermittently until early 2020. New attacks began in April 2021 and affected users in Canada, followed by the United States, Australia, Italy, Spain and Norway.

Cybercriminals use fraudulent advertising to attack users who search for popular software on search engines. Attackers provide them with links to download supposedly legitimate installers that actually install the password stealing program RedLine Stealer, a Chrome extension called MagnatExtension to log keystrokes and screenshots, and an AutoIt-based backdoor to access the device remotely.

MagnatExtension masquerades as a legitimate Google Safe Browsing service and includes functions for stealing form data, collecting cookies, and executing arbitrary JavaScript code.

The experts also noted the structure of the expansion command center. Although the command center address is embedded in the malware, it can be updated by the current command center, which includes a list of additional control domains. Otherwise, it falls back to an alternative method, which involves getting a new address from a Twitter search using special hashtags – # aquamamba2019 or # ololo2019.

The domain name is then generated from the corresponding Twitter post by concatenating the first letter of each word. Thus, a publication with the content “Squishy turbulent areas terminate active round engines after dank years. Industrial creepy units “and the hashtag # aquamamba2019 stands for stataready[.]icu.

As soon as an active C&C server becomes available, the stolen data (browser history, cookies, form data, keystrokes, and screenshots) is sent to attackers as an encrypted JSON string in the body of an HTTP POST request.


Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular