This dangerous malvertising campaign mimicks popular software to steal victim info
>
Cybersecurity researchers from HP Wolf Security have warned of several active campaigns that aim to deliver different types of malware (opens in new tab) to unsuspecting victims via typosquatted domains and malvertising.
The team explained in a blog post (opens in new tab) how they found threat actors creating multiple typosquatted websites masquerading as popular software like Audacity, Blender or GIMP.
The scammers also paid various ad networks to display ads and promote these bogus websites. That way, when people search for these programs, search engines can present malicious versions of the websites alongside legitimate ones. If a user isn’t careful and doesn’t double-check the URL of the website they’re visiting, they can end up in the wrong place.
Fake installers
If victims do end up in the wrong place, they hardly notice the difference. The websites are designed to look almost identical to the authentic ones down to the smallest detail. In the Audacity example, the site hosts a malicious .exe file that pretends to be the program’s installer. It is called “audacity-win-x64.exe” and is over 300 MB in size.
Being so large, the attackers try not to arouse suspicion (malware is usually measured in KB), but they also try to avoid antivirus programs. According to the researchers, the automatic scanning functions of some antivirus programs do not scan extremely large files.
The files are hosted on the cloud storage service 4sync.com, the researchers said, adding that all fake installers in this campaign are hosted there, suggesting that a good defense mechanism could be to completely block access to this service.
Various types of malware are distributed in the campaign. The largest campaigns the researchers have seen used this delivery approach to deploy the IcedID trojan, but the Vidar infostealer, BatLoader, and Rhadamanthys Stealer have all been spotted. According to HP Wolf Security, there has been an uptick in these campaigns since November last year.