Tag Archive for: distribute

Crooks manipulate GitHub’s search results to distribute malware

/in


Crooks manipulate GitHub’s search results to distribute malware

Pierluigi Paganini
April 13, 2024

Researchers warn threat actors are manipulating GitHub search results to target developers with persistent malware.

Checkmarx researchers reported that threat actors are manipulating GitHub search results to deliver persistent malware to developers systems.

Attackers behind this campaign create malicious repositories with popular names and topics, they were observed using techniques like automated updates and fake stars to boost search rankings.

“By leveraging GitHub Actions, the attackers automatically update the repositories at a very high frequency by modifying a file, usually called “log”, with the current date and time or just some random small change. This continuous activity artificially boosts the repositories’ visibility, especially for instances where users filter their results by “most recently updated,” increasing the likelihood of unsuspecting users finding and accessing them.” reads the report published by Checkmarx. “While automatic updates help, the attackers combine another technique to amplify the effectiveness of their repo making it to the top results. The attackers employed multiple fake accounts to add bogus stars, creating an illusion of popularity and trustworthiness.”

To evade detection, threat actors concealed the malicious code in Visual Studio project files (.csproj or .vcxproj), it is automatically executed when the project is built.

GitHub malware

The researchers noticed that the payload is delivered based on the victim’s origin, and is not distributed to users in Russia.

In the recent campaign, the threat actors used a sizable, padded executable file that shares similarities with the “Keyzetsu clipper” malware.

The recent malware campaign involves a large, padded executable file that shares similarities with the “Keyzetsu clipper” malware, targeting cryptocurrency wallets.

On April 3rd, the attacker updated the code in one of their repositories, linking to a new URL that downloads a different encrypted .7z file. The archive contained an executable named feedbackAPI.exe.

Threat actors padded the executable with numerous zeros…

Source…

Threat actors abuse Google Ads to distribute info-stealing malware: Report

/in


A threat actor was found abusing Google Ads to distribute a trojanised version of the CPU-Z tool to deliver the Redline info-stealing malware.

Threat actors were found using Google Ads to redirect users to a cloned copy of the legitimate Windows news site Windows Report.

Clicking on the ad takes the victim through a redirect step that tricks Google’s anti-abuse crawlers by sending invalid visitors to an innocuous site, a report from Bleeping Computer said.

Those deemed valid to receive the payload are redirected to a Windows news site that lookalike hosted on a number of different domains.  Users are then presented with a “Download now” button that results in them installing a malicious script that loads the malware on devices.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

This malware is a powerful stealer able to collect passwords, cookies, and browsing data from a range of web browsers and applications, as well as sensitive data from cryptocurrency wallets.

Users are advised to be careful when clicking on promoted results in Google Search and check the loaded site and the domain match before downloading any files. Users can also make use of adblockers to automatically hide such results from their search results.

This is a Premium article available exclusively to our subscribers. To read 250+ such premium articles every
month

You have exhausted your free article limit.
Please support quality journalism.

You have exhausted your free article limit.
Please support quality journalism.

This is your last free article.

Source…

IcedID Botnet Distributors Abuse Google PPC to Distribute Malware

/in


IcedID Botnet Distributors Abuse Google PPC to Distribute Malware



Source…

Microsoft Warns of Hackers Using Google Ads to Distribute Royal Ransomware

/in


Royal Ransomware

A developing threat activity cluster has been found using Google Ads in one of its campaigns to distribute various post-compromise payloads, including the recently discovered Royal ransomware.

Microsoft, which spotted the updated malware delivery method in late October 2022, is tracking the group under the name DEV-0569.

“Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation,” the Microsoft Security Threat Intelligence team said in an analysis.

The threat actor is known to rely on malvertising to point unsuspecting victims to malware downloader links that pose as software installers for legitimate apps like Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom.

The malware downloader, a strain referred to as BATLOADER, is a dropper that functions as a conduit to distribute next-stage payloads. It has been observed to share overlaps with another malware called ZLoader.

Royal Ransomware

A recent analysis of BATLOADER by eSentire and VMware called out the malware’s stealth and persistence, in addition to its use of search engine optimization (SEO) poisoning to lure users to download the malware from compromised websites or attacker-created domains.

Alternatively, phishing links are shared through spam emails, fake forum pages, blog comments, and even contact forms present on targeted organizations’ websites.

Royal Ransomware

“DEV-0569 has used varied infection chains using PowerShell and batch scripts that ultimately led to the download of malware payloads like information stealers or a legitimate remote management tool used for persistence on the network,” the tech giant noted.

“The management tool can also be an access point for the staging and spread of ransomware.”

Also utilized is a tool known as NSudo to launch programs with elevated privileges and impair defenses by adding registry values that are designed to disable antivirus solutions.

The use of Google Ads to deliver BATLOADER selectively marks a diversification of the DEV-0569’s distribution vectors, enabling it to reach more targets and deliver malware payloads, the company…

Source…