Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Malware Distribution Campaign Has Been Raging for More Than Four Months
#1
[Image: FakeUpdates-campaign.png]


Quote:An organized and highly dynamic malware distribution campaign has been leveraging thousands of hacked websites to redirect users to web pages peddling fake software updates in an attempt to infect them with malware.

According to Jerome Segura, the Malwarebytes researcher who analyzed multiple infection chains to piece together the grander scheme, this campaign started four months ago, in December 2017.

Segura named the campaign "FakeUpdates" because all malicious sites would redirect users to web pages hosting update packages for various types of software, usually Google Chrome, Mozilla Firefox, Internet Explorer, or Adobe Flash Player.

Crooks stealing traffic from hacked sites
The crooks behind this campaign rely on hacked websites to hijack legitimate traffic for the fake update pages.

Segura says he observed most of the traffic coming from hacked WordPress, Joomla, and Squarespace sites [1, 2], but the Malwarebytes researcher also says he spotted crooks leveraging other CMS platforms, as well, usually the ones running outdated versions that were vulnerable to attacks.

The way crooks hijacked traffic from these sites was by injecting JavaScript code inside already-existing JS files present on the site, or by loading a new JS file with the site altogether.

The role of this malicious JS code was to take the user through a series of automated redirects until he landed on other hacked websites where crooks were hosting the page with the fake update package. [see GIF below]


[Image: FakeUpdates-redirect.gif]

Fake updates deliver banking trojans, RATs
Users tricked into downloading the fake update packages didn't receive an EXE file, but another JS script, usually hosted on a Dropbox link. Running the JS script would download and install the final malware payload.

Segura says that during his tests, the malware he received was the Chthonic banking trojan, but other reports [1, 2] also describe the FakeUpdates campaign dropping the NetSupport remote access trojan (RAT).

"The ‘bait’ file consists of a script rather than a malicious executable, giving the attackers the flexibility to develop interesting obfuscation and fingerprinting techniques," Segura explains.

READ THE FULL ARTICLE HERE
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  PoS Malware Skimmed Convenience Store Card Data for 8 Months Mohammad.Poorya 0 1,572 12-22-2019 , 12:57 PM
Last Post: Mohammad.Poorya

Forum Jump:


Users browsing this thread: 1 Guest(s)