In 2018, a malign cyber campaign began to make its way across the world.
New research from the Cisco Talos’ Cyber Threat Intelligence Team found this was done by baiting users into downloading fraudulent versions of popular software onto their computers, likely through the use of ads.
“Talos believes the attackers have set up an advertising campaign that will present links to a web page, offering the download of a software installer,” which has numerous different file names.
Once downloaded three different types of malware are present: a system that steals passwords, a “backdoor” that allows remote access to systems, even if they are behind firewalls, and a browser extension that steals sensitive information.
The extension isn’t downloaded from the Chrome Extension store, but the malware software. It’s listed as “Google’s Safe Browsing” in the extension settings.
“This extension is very similar in its features to a banking trojan. It periodically connects to a C2 to receive the updated configuration settings. Those settings are then used to control the behavior of the features that allow stealing data from the browser, such as a form grabber, keylogger, and screenshotter, among others,” the research notes.
The promised software is never installed.
Researchers found the original password stealer used was Azorult. More recently, Redline is being used.
A timeline created by the researchers shows the first extension was seen in August 2018. Between then and March 2020, activity was consistent, before the start of a months-long absence that ended in October of that year.
Before the break, Azorult was being used. Afterward, the password stealer was updated to Redline. Researchers believe this change could have happened because of the release of an updated browser, Chrome 80, that broke the prior malware trio.
Researchers believe advertisements were involved as an analysis of comprised systems found the browser only worked with Cloudflare and Google IPS.
Magnat is the alias being used by the conspirator, who’s continuously improving the malware they use. Researchers determined this as the alias by examining malware samples and the tools used to create them and checking to see if any information was left behind. Magnat was the username found on a number of samples examined.
The attacker is focused on financial means from the sale of stolen credentials and fake transactions.
More than half of the total victims are Canadian and it’s unclear why.
“The research did not uncover any information that allows us to reach any conclusion as to why the attack has a big focus on Canada. All we can say is that roughly 50 percent of the systems contacting the C2 originate from Canada,” Tiago Pereira, technical lead of security research with Cisco Talos, told MobileSyrup.
“This adds to the internet “street smarts” that Canadian users must have while using the net. The attacker’s interest in Canadian users makes it more likely for a Canadian to come across such an attack and the extra knowledge provided by this kind of research may come in handy.”
Running ad blockers, and considering if a URL is suspicious, are some things Canadians can do to protect themselves, Pereira said.
Cases have also been identified in the U.S. and Australia. On a much smaller scale, cases were also seen in Italy, Spain, and Norway.
Image credit: ShutterStock