Cybersecurity researchers recently uncovered several malicious campaigns which used Google ads to disseminate malware like Gozi, RedLine, Vidar, Cobalt Strike, SectoRAT, and Royal Ransomware, masking them as legitimate applications such as 7-ZIP, VLC, OBS, Notepad++, CCleaner, TradingView, and Rufus. One particular piece of malware, called ‘LOBSHOT’, is especially dangerous as it contains a hidden hVNC which allows attackers to take control of infected Windows devices without detection.
LOBSHOT Malware Campaign Uncovered in the Wild
Elastic Security Labs and the research community detected a steep rise in malvertising activity. Attackers utilized a detailed ploy of fraudulent websites, Google Ads, and backdoors embedded into what appeared to be legitimate installers.
At the heart of LOBSHOT is its hVNC (Hidden Virtual Network Computing) component. This aspect enables attackers to directly connect to the machine without raising suspicion, and is a common feature of other malicious families. We will explain the LOBSHOT infection chain and its characteristics, as well as provide a YARA signature and configuration extractor for it.
The cybersecurity company linked the malicious software to a recognized threat group named TA505, as a result of a study of the infrastructure traditionally associated with the group. TA505 is an illegal electronic criminal syndicate that is financially motivated and has been identified as Evil Corp, FIN11, and Indrik Spider in certain occurrences.
The LOBSHOT malware utilizes dynamic import resolution, anti-emulation analysis, and string encryption to conceal its existence from security programs. After being implanted, it makes Windows Registry changes to stay persistent and illegitimately access data from more than 50 cryptocurrency wallet add-ins utilized in internet browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.
LOBSHOT Is Also an Infostealer
The malware also features an info-stealing capability by launching a new thread, focusing on Google Chrome, Microsoft Edge, and Mozilla Firefox extensions related to cryptocurrency wallets. Its initial target were 32 Chrome wallet extensions associated with cryptocurrency, followed by 9 Edge wallet extensions, and 11 Firefox wallet extensions. The following are Procmon outputs exhibiting LOBSHOT’s attempts to access the said wallet extensions.
In Conclusion
Threat groups persistently employ malvertising strategies to disguise genuine software with backdoors, such as LOBSHOT. Despite the deceptively small size of these types of malware, they carry substantial functionalities that assist threat actors in their initial access stages, granting them full, interactive remote control. The researchers have been observing fresh samples of this family every week, and anticipate it will remain prevalent in the foreseeable future.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: