A new malvertising campaign has been detected in the wild. The campaign’s purpose is tricking potential victims into executing fake software installers of popular programs, and eventually download an infostealer, a backdoor and a malicious Chrome extension. The discovery comes from Cisco Talos researchers, who believe the threat actor behind the campaigns, dubbed Magnat, is previously unknown.
Inside the Magnat Malvertising Campaign
According to the report, the Magnat malvertising campaign consists of several malware distribution operations that started in 2018. Targeted countries include Canada, the U.S., Australia, and some EU countries. Previously undocumented malware families, including a backdoor (known as MagnatBackdoor) and a Google Chrome extension, are being delivered in the campaigns. The purpose of it all? Financial gain from selling stolen user credentials, as well as fraudulent transactions and Remote Desktop access to compromised systems via a backdoor.
The information stealer (either Azorult or Redline) is capable of harvesting all credentials available on the victim’s machine. The backdoor is also capable of setting up remote access via a hidden Microsoft Remote Desktop session. This is accomplished by forwarding the RDP port through a SSH tunnel, enabling access to systems equipped with a firewall. The malicious browser extension (which Talos called MagnatBackdoor) also contains info-stealing features, including keylogging capabilities and taking screenshots.
How Is the Malicious Campaign Initiated?
This part of the Magnat malvertising campaign is a great reminder of how dangerous it is to download software from unverified sources. Being a malvertising, a.k.a. malicious advertising operation, it starts by clicking an ad that contains links to a web page prompting the victim to download a software installer. Cisco Talos says that this installer has various file names, including viber-25164.exe, wechat-35355.exe, build_9.716-6032.exe, setup_164335.exe, nox_setup_55606.exe and battlefieldsetup_76522.exe.
Instead of downloading a particular software program, the victim executes a malicious loader.
“The installer/loader is an SFX-7-Zip archive or a nullsoft installer that decodes and drops a legitimate AutoIt interpreter, and three obfuscated AutoIt scripts that decode the final payloads in memory and inject them into the memory of another process,” Talos said. The final payloads of the Magnat campaign are the same in almost all cases – infostealer, malicious extension, and backdoor described above.
In conclusion, the researchers believe that the campaigns rely on the malvertising approach to reach users interested in specific keywords related to software. Potential victims are presented with links to download popular programs but instead execute malware. This type of threat is highly effective, so we advise you to be extra vigilant with downloading software from the internet.