Official forum for Utopia Community

You are not logged in.

#1 2023-05-02 23:09:35

Registered: 2023-01-04
Posts: 1,919

A Sneaky Financial Trojan and Information Stealer Delivered Via Google

A threat actor has been seen using the method to distribute a new Windows-based financial trojan and information thief called LOBSHOT, in yet another example of how threat actors are abusing Google Ads to serve malware.

Daniel Stepanic, an analyst with Elastic Security Labs, wrote in a report published last week, "LOBSHOT continues to gather victims while remaining undetected.".

"Hidden Virtual Network Computing, or hVNC, is one of LOBSHOT's key capabilities. Direct and covert access to the machine is made possible by these types of modules. ".

Based on infrastructure that had previously been linked to the group, the American-Dutch company identified TA505 as the threat actor responsible for the malware strain. TA505 is a group of cybercriminals with a financial incentive that coexists with the Evil Corp, FIN11, and Indrik Spider activity clusters.

The most recent development is significant because it shows that TA505, which is linked to the Dridex banking trojan, is once again increasing the amount of malware it uses to commit financial fraud and data theft.

LOBSHOT, with early samples dating back to July 2022, is disseminated through fraudulent Google advertisements for trustworthy products like AnyDesk that are hosted on a network of fake landing pages kept up by the operators.

The malware includes dynamic import resolution (i. e. , resolving the names of necessary Windows APIs at runtime), anti-emulation checks, and string obfuscation to avoid detection by security software.

Once installed, it steals information from more than 50 cryptocurrency wallet extensions found in web browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox, changes the Windows Registry to enable persistence, and siphons data from those extensions.

advertisements on Google.
Other noteworthy characteristics of LOBSHOT include its capacity to remotely access the compromised host via an hVNC module and perform operations on it covertly without drawing the victim's attention.

According to Stepanic, "threat groups continue to use malvertising techniques to disguise legitimate software with backdoors like LOBSHOT.".

These malware types might appear to be small, but they end up having a lot of functionality, which enables threat actors to move quickly during the initial access stages by providing fully interactive remote control capabilities. ".

The results also highlight how more adversaries are using malvertising and search engine optimization (SEO) poisoning to trick users into visiting bogus websites and downloading trojanized versions of popular software.

Data from eSentire indicates that a number of attacks in the U.S. that targeted law offices and corporate legal departments were carried out by the threat actors behind GootLoader. S. Canada and the U.S. K. Australia and also.

As an initial access-as-a-service operation for ransomware attacks, GootLoader, which has been active since 2018, uses SEO poisoning to lure victims looking for contracts and agreements to infected WordPress blogs that point to links containing the malware.

The attack chain is created so that the malware can only be downloaded from the hijacked sites once per day in order to avoid detection by incident responders, in addition to implementing geofencing to target victims in specific regions.

According to eSentire, GootLoader's use of the IP address method to screen already-hacked victims could be used against it to block the IP addresses of end users in advance and shield organizations from potential infections.


Board footer

Powered by FluxBB