Arctic Wolf researchers have uncovered a sophisticated SEO poisoning campaign targeting IT professionals with fake websites hosting Trojanized versions of PuTTY and WinSCP, leading to backdoor malware infections that can compromise enterprise networks. The campaign exploits search engine results to redirect victims to malicious sites, emphasizing the need for organizations to enforce strict software acquisition policies and deploy network protections to mitigate risks.
Spyware makers are reportedly using online ads to infect specific targets with spyware, allowing governments to conduct surveillance. Companies like Intellexa and Insanet have developed ad-based spyware infection systems capable of locating and infecting individuals through online ads. Ad blockers can be an effective defense against malvertising and ad-based malware, preventing the ads from loading in web browsers and enhancing privacy by blocking tracking code. Security experts recommend using ad blockers as a safety precaution against government spyware and malvertising attacks.
Fake Facebook job ads are being used to distribute a new Windows-based stealer malware called Ov3r_Stealer, designed to steal credentials and crypto wallets. The malware is spread through a weaponized PDF file shared on fake Facebook accounts and ads, ultimately leading to the execution of a PowerShell loader from a GitHub repository. Similarities with another stealer called Phemedrone suggest that Ov3r_Stealer may be a re-purposed version of it. Threat actors are observed sharing news reports about the malware to build credibility for their malware-as-a-service business. This comes amidst reports of threat actors advertising access to law enforcement request portals and the emergence of infections leveraging cracked software to drop information stealers, crypto miners, and ransomware.
Cybersecurity researchers have discovered an updated version of the macOS information stealer Atomic Stealer, now equipped with payload encryption to evade detection. The malware, initially available for $1,000/month, is now being rented out for $3,000/month, with a Christmas promotion offering it at a discounted price of $2,000. It is being distributed through malvertising and compromised sites, with a recent shift using Google search ads impersonating Slack to deploy the malware. Mac users are advised to download software from trusted sources to avoid falling victim to malicious ads and decoy sites.
A malvertising campaign is distributing the PikaBot malware disguised as popular software like AnyDesk. PikaBot, previously distributed via malspam campaigns, is a loader and backdoor that allows threat actors to gain unauthorized remote access to compromised systems. The malware is being leveraged by the cybercrime threat actor TA577, who has previously delivered QakBot, IcedID, and Cobalt Strike. The initial infection vector involves a malicious Google ad for AnyDesk that redirects victims to a fake website hosting a malicious MSI installer. The attacks bypass Google's security checks and employ fingerprinting techniques to ensure the victim is not in a virtualized environment. This malvertising campaign is reminiscent of previous chains used to distribute FakeBat malware. Additionally, there has been a rise in malicious ads targeting popular software searches, including the use of a Chrome extension framework called ParaSiteSnatcher to intercept and exfiltrate sensitive information.
Microsoft has issued a warning about a new wave of CACTUS ransomware attacks that utilize malvertising tactics to distribute DanaBot as an initial access point. The DanaBot infections have been linked to the ransomware operator Storm-0216 (Twisted Spider, UNC2198), resulting in the deployment of CACTUS ransomware. DanaBot is a versatile tool capable of stealing information and serving as an entry point for subsequent attacks. The threat actor has also exploited QakBot infections for initial access. This shift to DanaBot is likely due to a coordinated law enforcement operation that dismantled QakBot's infrastructure. The current Danabot campaign is using a private version of the info-stealing malware. The stolen credentials are sent to a server controlled by the actor, who then gains access through RDP sign-in attempts and transfers control to Storm-0216. This warning follows recent reports of CACTUS ransomware attacks exploiting vulnerabilities in Qlik Sense and the discovery of a new macOS ransomware called Turtle.
Google has been hosting a malicious ad that appears to be a legitimate pitch for the password manager Keepass. The ad leads users to a website with an almost identical URL to the genuine Keepass site, creating a convincing deception. The imposter site uses punycode encoding to appear genuine, making it difficult to detect. The ads have been running since Saturday and were paid for by an advertiser verified by Google. There is no foolproof way to detect these malicious ads or encoded URLs, but users can manually type the URL or inspect the TLS certificate for verification.
A malvertising campaign targeting users searching for the popular Notepad++ text editor has been active for several months, evading detection. The campaign utilizes Google Ads to promote fake software websites that distribute malware. The final payload is believed to be Cobalt Strike, which often precedes ransomware attacks. The campaign tricks users with misleading titles in Google Search result advertisements, redirecting them to a decoy site or a malicious website that mimics the real Notepad++ site. Victims who meet certain criteria are served an HTA script, likely enabling the attackers to track their infections. To avoid downloading malware, users are advised to skip promoted results on Google Search and verify the official domain of the software they are looking for.
Malicious ads are being served through Microsoft Bing's AI-powered chatbot, leading users to malware-distributing sites. Cybersecurity researchers have discovered that users can be tricked into visiting booby-trapped sites and installing malware directly from Bing Chat conversations. Threat actors are leveraging malvertising tactics to insert ads into Bing Chat conversations, redirecting users to fraudulent links before the official sites hosting the desired tools. The malware delivered through these campaigns is currently unknown. This revelation comes as other cybersecurity firms uncover multi-step campaigns targeting the hospitality sector, using social engineering attacks and phishing techniques to steal customer information and financial data. Users are advised to be cautious of unsolicited links, suspicious messages, and deceptive URLs.
Malicious advertisements promoting fake download sites that distribute malware have infiltrated Microsoft's AI-powered Bing Chat responses. The incorporation of ads into Bing Chat has opened the door for threat actors to exploit the trust users place in AI-powered chat tools, potentially convincing them to click on ads. The malvertizing campaign imitates a popular IP scanner and redirects users to a clone website that distributes malware. The final payload of the malware campaign is unknown, but it is likely to be information-stealing malware or a remote access trojan. Users are advised to be cautious of chatbot results and double-check URLs before downloading anything.
A new ransomware called Big Head is disguising itself as fake Windows updates and Word installers as part of a malvertising campaign. The ransomware infects devices and encrypts files by displaying a fake Windows update alert. It can delete backups, disable Task Manager, and steal web browser history and other information. To protect against ransomware attacks, users should avoid opening sketchy-looking emails, have good antivirus software, regularly back up files on an external hard drive or cloud service, and keep software up to date.
A new ransomware called Big Head is being distributed through a malvertising campaign disguised as fake Microsoft Windows updates and Word installers. The ransomware encrypts files on victims' machines and demands a cryptocurrency payment. Trend Micro has analyzed the ransomware and identified its inner workings, including its ability to display a fake Windows update UI to deceive victims. The malware also deletes backups, terminates processes, and checks for virtualized environments. It disables the Task Manager, aborts itself in certain languages, and incorporates a self-delete function. Trend Micro has detected a variant of Big Head with stealer behaviors and another variant that incorporates a file infector called Neshta. The identity of the threat actor behind Big Head is currently unknown.
Security researchers have analyzed a new ransomware strain called 'Big Head' that is believed to be spreading through malvertising campaigns promoting fake Windows updates and Microsoft Word installers. The ransomware, written in .NET, installs encrypted files on the target system for propagation, Telegram bot communication, and file encryption. It also displays a fake Windows update screen during the encryption process. Multiple variants of Big Head have been identified, with some incorporating data-stealing capabilities and file infection techniques. While not highly sophisticated, the ransomware targets consumers who may be easily tricked or lack cybersecurity awareness. The main author of Big Head is suspected to be of Indonesian origin, according to cyber-intelligence firm KELA.
Threat actors associated with the BlackCat ransomware are using malvertising techniques to distribute rogue installers of the WinSCP file transfer application. By hijacking keywords and displaying bogus ads on search results pages, unsuspecting users searching for WinSCP are redirected to sketchy pages where they unknowingly download malware. The malware contains a Cobalt Strike Beacon that connects to a remote server for follow-on operations, and also utilizes legitimate tools like AdFind for network discovery. The attackers gain top-level administrator privileges, conduct post-exploitation activities, and attempt to set up persistence using remote monitoring and management tools. This incident highlights the ongoing threat of ransomware and the need for robust cybersecurity measures.
Scammers are targeting older Americans through malvertising campaigns executed through fake Google ads. Malvertising is a form of fake online advertising that uses ads that look real to spread malware to people's devices. The scammers create hundreds of fake websites via the web hosting platform Weebly to host fake content that looks real so that the ads they place on Google can be validated and approved. The main way they do this is by making their websites look as legitimate as possible. To protect yourself, have good antivirus software on all your devices.
