IN SUMMARY
- The attack lures users into downloading malicious versions of well-known apps through Google Search results.
- These apps include AnyDesk, AnyConnect, WinSCP, Treesize, Cisco, Slack, and more.
- Once a system is infected, attackers install BlackCat ransomware (also known as ALPHV).
A new malvertising attack has been tracked whose prime target is businesses. According to the latest research report from Bitdefender, threat actors are luring users via advertisements to download malicious versions of popular applications, including AnyDesk, AnyConnect, WinSCP, Treesize, Cisco, Slack, etc.
Report authors Victor VRABIE and Alexandru MAXIMCIUC explained that in this campaign, hackers rely on DLL sideloading to inject malicious code into the fake versions to gain access to the victim’s computer.
Once invaded, they can perform a wide range of activities on the device, such as stealing credentials, exfiltrating data for extortion, establishing persistence, and installing BlackCat ransomware.
For your information, BlackCat ransomware is distributed by RaaS (ransomware-as-a-service) operators. Also called ALPHV, this ransomware is written in Rust programming language and targets Windows and Linux-based devices.
The Case of Malicious ISO Archive
In a blog post, the company wrote that cybercriminals are using a malicious ISO archive with attractive offers to lure business users. Apart from the promised software, a ZIP archive is part of the package. This file contains a Python executable (python.exe) and its dependencies, which launch the malicious code as a Meterpreter stager to let threat actors access the device and achieve their nefarious objectives.
Further probing revealed that the campaign has been active since May 2023, and organizations in North America are the prominent targets, particularly businesses in the US and Canada. So far, Bitdefender researchers have detected six organizations targeted in the US and one in Canada.
Why are Malvertising Attacks on the Rise?
Bitdefender researchers highlight that in the past few years, they have observed cybercriminals developing a preference for targeting businesses with malicious versions of commonly used business apps because it is relatively easier to exploit their popularity.
These bogus apps are distributed in ads promoted through malicious websites. First, attackers create fake websites containing malicious downloads for high-interest apps and make sure these sites appear on top of the search engine results through ads. Innocent users click on these ads and get their devices infected when downloading the fake app.
The complete list of indicators of compromise for this malvertising attack is available here (PDF).
RELATED ARTICLES
- Royal Ransomware Use Google Ads to spread infection
- Fake Ads Manager Software Target Facebook Accounts
- Google Ads Malware Wipes NFT Influencer’s Crypto Wallet
- Fake Facebook Profiles, Google Ads Pushing Sys01 Stealer
- Google Ads drop FatalRAT malware from fake browser apps