Magnat campaigns delivering fake installers

Magnat campaigns delivering fake installers

Cyber security specialists warn of the Magnat malicious distribution waves targeted at the potential users of some most popular software. Threat actors use the methods of malvertising to successfully distribute their malicious software installer. The work presents itself especially tricky as it predisposes its victims to a high degree of trust and feeling of legitimacy. In malvertising threat actors use keywords related to searched software. And then they present to unknowing users links to download desired software. Specialists point out that in case of such types of threats, security awareness sessions, endpoint protection and network filtering should be in place to guarantee the safety of the system.

The malicious campaigns have been going on for nearly three years

The malicious campaigns have been going on for nearly three years. The malware activity started in 2018 with numerous C2 addresses that threat actors used in every month of activity. However one of the domains stataready[.]icu threat actors used as the MagnatExtension C2 only in January 2019. They still use it in the settings obtained from the C2 servers as the updated C2. In August this year a security researcher mentioned the malvertising campaign on their Twitter page. They posted screenshots of the ads and shared one of the downloaded samples.

Threat actors mostly targeted Canada (50% of the total infections), U.S and Australia. Also they focused their efforts on Norway, Spain and Italy. Cyber security specialists add that authors of the malware regularly improve their works, activity that shows clearly there will be other floods of malicious waves. The malware alone specialists discern one being the password stealer and the other a Chrome extension that works as a banking trojan. The use of the third element of the distributed malware RDP backdoor remains unclear to specialists. The first two may be used to obtain user credentials and further sell them or use for its own future purposes. While the third, RDP, threat actors most likely will use it for further exploitation on systems or sell as RDP access.

In an attack a user would look for a desired software when they come across an ad with a link

In an attack a user would look for a desired software when they come across an ad with a link. It redirects them to a web page where they could download searched software. Attackers named the downloads with different names. It could be nox_setup_55606.exe, battlefieldsetup_76522.exe, wechat-35355.exe, build_9.716-6032.exe, setup_164335.exe and viber-25164.exe. On the execution it won`t install the actual software but instead the malicious loader on the system. The installer in its turn deobfuscates and begins the execution of three malicious payloads: Password Stealer ( Redline or Azorult), Chrome Extension Installer and RDP Backdoor.

Specialists discern the installer/loader as a nullsoft installer that decodes and drops a legitimate AutoIt interpreter or an SFX-7-Zip archive. Here come also three obfuscated AutoIt scripts that decode the final payloads in memory and inject them into the memory to another process. Three specific pieces of malware make up the final payloads :

  • An installer for a chrome extension that includes several malicious features for stealing data from the web browser: keylogger, screenshotter, a form grabber, cookie stealer and arbitrary JavaScript executor;
  • A commodity password stealer. Initially it was Azorult and now it is Redline. Both have functions to steal all the credentials stored on the system. They are universally known across the community;
  • A backdoor, or backdoor installer configures the system for RDP access, adds a new user. And then appoints a scheduled task and recurrently ping the C2. On instruction it creates an outbound ssh tunnel sending on the RDP service.
  • Leave a Reply

    Your email address will not be published. Required fields are marked *