This dangerous malicious ad campaign mimics popular software to steal victim information
Cybersecurity researchers from HP Wolf Security have warned of a number of active campaigns aimed at delivering various types of malware (opens in a new tab) to unsuspecting victims through mistyped domains and malicious ads.
The group explained in a blog post (opens in a new tab) how they found threat actors creating many typed websites impersonating popular software like Audacity, Blender or GIMP.
Scammers also pay various ad networks to run ads, promoting these fake websites. That way, when people search for these programs, the search engines will likely serve up malicious versions of websites right next to the legitimate ones. If users aren’t careful and don’t double-check the URL of the website they’re visiting, they may end up in the wrong place.
Fake Installer
If the victim goes to the wrong place, it will be difficult for them to tell the difference. Websites are designed to look almost identical to authentic websites, down to the smallest detail. In Audacity’s example, the website hosts a malicious .exe file posing as the program’s installer. It is named “audacity-win-x64.exe” and is over 300 MB in size.
With such a large scale, attackers try to avoid causing suspicion (malware is usually measured in KB), but also try to avoid anti-virus programs. According to the researchers, the automatic scanning feature of some antivirus programs does not scan extremely large files.
The researchers said the files were hosted on the cloud storage service 4sync.com, adding that all the fake installers in this campaign were stored there, suggesting that A good defense mechanism might be to completely block access to this service.
During the campaign, different types of malware were distributed. The largest campaigns the researchers have seen have used this delivery method to deploy the IcedID trojan, but credential stealers Vidar, BatLoader, and Rhadamanthys Stealer have all been observed. According to HP Wolf Security, there has been an increase in these campaigns since last November.