While VirusTotal is no replacement for a full endpoint security product, with its 70 AV engines it is usually a good indicator to quickly check if a file is malicious or not. The first user to submit each new sample always uploaded them from Turkey (country code TR) and in many instances the file name looked like it had come fresh from the compiler (i.e.
We also noticed that the threat actor was uploading each of his new builds to VirusTotal, a service owned by Google, to check if they were being detected by antivirus engines. Over a couple of weeks, we collected nine different samples that looked more or less the same. The file would simply run and exit quickly. When we first ran the sample into a sandbox, we could not see anything obvious or that it was even malicious. Its hex representation is %D0%A1hr%D0%BEm%D0%B5U%D1%80d%D0%B0t%D0%B5.exe as can be seen in the image below:įigure 3: Hex encoding and Cyrillic alphabet While the file name appears as ChromeUpdate.exe, it uses the Cyrillic alphabet such that certain characters look similar but are different on disk. This becomes more obvious when downloading the update file named ChromeUpdate.exe.įigure 2: The 'Chrome update' downloaded from the web browser Fully Undetectable (FUD) malware When that happens, they just want to install whatever needs to be installed and get on with their day.Ī threat actor is buying popunder ads targeting adult traffic and tricking victims with what appears to a system security update.įigure 1: A fake system update hijacks the screenĪs convincing as it looks, what you see above is actually a browser window that is rendered in full screen. Windows users are quite familiar with system updates, often interrupting hours of work or popping up in the middle of an intense game. In this blog post, we detail our findings and how this campaign is connected to other attacks.
We wrote a tool to 'patch' this loader and identified its actual payload as Aurora stealer. The fake security update is using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. The scheme is very well designed as it relies on the web browser to display a full screen animation that very much resembles what you'd expect from Microsoft. Because browsers are more secure today than they were 5 or 10 years ago, the attacks that we are seeing all involve some form of social engineering.Ī threat actor is using malicious ads to redirect users to what looks like a Windows security update. Malvertising seems to be enjoying a renaissance as of late, whether it is from ads on search engine results pages or via popular websites.
0 kommentar(er)
