Redline Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/redline/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 28 Dec 2023 22:13:44 +0000 en-US hourly 1 https://wordpress.org/?v=83575 200474804 Malicious CPU-Z Copy Is Spread In Google Search Ads https://gridinsoft.com/blogs/fake-cpu-z-google-ads/ https://gridinsoft.com/blogs/fake-cpu-z-google-ads/#respond Wed, 15 Nov 2023 13:18:30 +0000 https://gridinsoft.com/blogs/?p=17661 Attackers are again abusing the Google Ads platform to distribute malicious advertising and Redline information stealer. This time, the ads advertised a trojanized version of the CPU-Z tool. CPU-Z Malware in the WindowsReport Page Clone Recently, a wave of malicious ads on Google Search results page offered users a Trojan-infected version of the popular CPU-Z… Continue reading Malicious CPU-Z Copy Is Spread In Google Search Ads

The post Malicious CPU-Z Copy Is Spread In Google Search Ads appeared first on Gridinsoft Blog.

]]>
Attackers are again abusing the Google Ads platform to distribute malicious advertising and Redline information stealer. This time, the ads advertised a trojanized version of the CPU-Z tool.

CPU-Z Malware in the WindowsReport Page Clone

Recently, a wave of malicious ads on Google Search results page offered users a Trojan-infected version of the popular CPU-Z program. For better disguise, the malware was hosted on a clone site of the real news site WindowsReport. As the presence of the official site for the product is not that obvious for users, such a trick was quite effective.

Adware on Google Ads with Redline
Malvertising

By clicking on such an advertisement, the victim goes through a series of redirects that fooled Google’s security scanners and filtered out crawlers, VPNs, bots, etc., redirecting them to a special decoy site that did not contain anything malicious.

Redirection after click on Google Ads
Redirects (source: Malwarebytes)

Users ended up on a fake news site hosted on one of the following domains:

  • argenferia[.]com;
  • realvnc[.]pro;
  • corporatecomf[.]online;
  • cilrix-corp[.]pro;
  • thecoopmodel[.]com;
  • winscp-apps[.]online;
  • wireshark-app[.]online;
  • cilrix-corporate[.]online;
  • workspace-app[.]online.

The result of these manipulations is the chain attack, initiated with FakeBat malware. Further, this loader injects well-known RedLine infostealer – an old-timer of the scene.

What is RedLine Infostealer?

Downloading the CPU-Z installer from the attackers’ resource resulted in the download of an MSI file containing a malicious PowerShell script, which the researchers identified as the FakeBat malware loader (aka EugenLoader). This downloader extracted the Redline payload from a remote URL and launched it on the victim’s computer.

Redline is a powerful data theft tool that can steal passwords, session tokens, cookies, and vast amounts of other stuff. We have a dedicated article with the complete tech analysis of this malware – consider checking it out.

Earlier, we wrote about how cybercriminals distribute RedLine infostealer. It uses sites for downloading the fake MSI Afterburner utility. To distribute it, various domains were also used as part of the hacker campaign, which could be mistaken by users for the official MSI website. The imitation of brand resources was done quite well.

According to Google representatives, all malicious ads associated with the hacker campaign to distribute the infected CPU-Z tool have now been removed, and appropriate action has been taken against the accounts associated with them.

This is not the first time that hackers have used Google Ads

This exact malvertising campaign was discovered by analysts, who believe it is part of a previously observed campaign of a similar purpose. Previously, the attackers used fake Notepad++ advertisements to deliver the malware.

In the ads, the attackers promoted URLs that were clearly not associated with Notepad++, and used misleading titles in their ads. Since headers are much larger and visible than URLs, many people likely didn’t notice the catch.

Let me remind you that we talked about how malware operators and other hackers are increasingly using Google Ads to distribute malware to users who are looking for popular software. So, you can encounter malicious ads when searching for Slack, Grammarly, Dashlane, Audacity, and dozens of other programs.

The post Malicious CPU-Z Copy Is Spread In Google Search Ads appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fake-cpu-z-google-ads/feed/ 0 17661
Redline and Vidar Stealers Switch to Ransomware Delivery https://gridinsoft.com/blogs/redline-and-vidar-ransomware/ https://gridinsoft.com/blogs/redline-and-vidar-ransomware/#respond Wed, 20 Sep 2023 16:13:53 +0000 https://gridinsoft.com/blogs/?p=17010 Cybercriminals who stand behind RedLine and Vidar stealers decided to diversify their activity. Now, crooks deploy ransomware, using the same spreading techniques as they used to deliver their spyware. Meanwhile, the process of ransomware enrollment is rather unusual and is full of advanced evasion techniques. What are Redline and Vidar Stealers? RedLine is an infostealer… Continue reading Redline and Vidar Stealers Switch to Ransomware Delivery

The post Redline and Vidar Stealers Switch to Ransomware Delivery appeared first on Gridinsoft Blog.

]]>
Cybercriminals who stand behind RedLine and Vidar stealers decided to diversify their activity. Now, crooks deploy ransomware, using the same spreading techniques as they used to deliver their spyware. Meanwhile, the process of ransomware enrollment is rather unusual and is full of advanced evasion techniques.

What are Redline and Vidar Stealers?

RedLine is an infostealer malware that appeared back in 2020, offered under Malware-as-a-service model. It is appreciated by cybercriminals for its wide functionality, that includes not only automated data gathering, but also manual commands for scanning the directories. And, typically for any stealers, it relies on stealthiness, that is additionally enhanced by a crypter software that comes as a side to the malware.

Vidar is similar but different. Aiming at a similar list of desktop apps, browsers and crypto wallets, it is closer to the definitive stealer. Once it finishes collecting information, all the gathered info is packed into the archive and sent to the command server. When this transfer is over, Vidar performs “melting” – or deletes itself, simply.

RedLine and Vidar Ransomware Delivery

In late summer 2023, the developers of RedLine and Vidar stealers started spreading ransomware under their own rule. The methods of gaining initial access remained the same – crooks send to victims an email with awaited or unpleasant information and an attachment. This attachment – you guessed it right, is a payload. The use of double extensions (pdf.htm, in one of the cases noticed by analysts) is quite typical for such attacks. As Microsoft disabled macros from running when they have come from the Web, the new, and quite old ways of spreading were put into use.

Vidar & RedLine Ransomware

Once the victim runs the file, the chain of executions starts. First, the JScript applet connects to the intermediary server, downloads and executes the .exe file. This file, in turn, initiates the downloading of a PNG picture, which appears to be a bitmap image. Further, the image decodes into a shellcode, which transforms into yet another shellcode, saved to the Temp folder.

The second shellcode is getting launched in a Command Prompt instance spawned by the aforementioned .exe file. This way, the final payload comes into view – an infected console instance of 7-Zip utility. Upon execution, it launches the ransomware attack.

RedLine Uses EV Certificates to Conceal Itself

Another interesting, though not novel tactic used by hackers, is embedding EV certificates into malware. RedLine started using this practice in June 2023, starting with its stealers. Extended Validation (EV) code signing certs appeared as a shortcut for large companies for signing their software. Instead of thorough checks that prime the issue of a regular code certificate, this one needs only the request from a company. To get the right of EV requesting, the co should undergo a 16-stage checkup that verifies all edges of its identity. But, as it commonly happens, cybercriminals found a way to use it for their benefit.

It is not uncommon for certificates to leak, but the trust level is critical this time. Common certs require less authentication to issue, and consequently have less trust. Meanwhile, EV certificates rarely fall under suspicion, and frequent recalls may turn into a problem for the company. There is also no clear info on how EV certificates leaked. In the case of RedLine, such application turns exceptionally threatening due to the number of its samples that appear every day.

RedLine stats

How to protect against ransomware?

Surely, modern ransomware amazes with the diversity of evasion techniques and damage done to the system. However, the spreading methods remain more or less the same for most families and samples. Email spam, questionable software downloaded from third-party sources – they have no reason to change a well-working scheme. And your best counteraction to this is your attention with spreading methods.

Do not interact with questionable emails. Hackers commonly use buzzwords that induce urgency of required actions. That is what drastically differs genuine messages from spam ones – companies never do that. Even though some of the messages are styled so they look legit and repeat what you’re waiting for, avoid haste and check the details of the message. Aside from the text style, the email address in spam messages is typically wrong from a normal one. Fortunately, there is no way to hide the sender’s address.

Be diligent to the files from the Internet you are going to run. The trick with double extensions (like .pdf.exe) exists over two decades, and hackers never shy away from using it. Since Windows does not show you the extensions of your files, it is extremely easy to get fooled in such a way. In your File Explorer settings, you can make it showing the extensions. Go to the View button on the upper panel, then click Show → File Name Extensions option in the drop-down list. This will make it much easier to detect such tricky files.

Enable file extensions File Explorer

Use a reliable anti-malware software with advanced heuristic features. As you could have guessed, it is quite hard to detect the ransomware from RedLine developers statically. It disguises as deeply encoded files that are hard to identify in any way. Even the final payload masquerades as a legit console utility. In such a sophisticated case, only a heuristic detection method can help. GridinSoft Anti-Malware has multi-stage heuristic analysis with a neural scanning engine on hand. This can effectively detect such threats – try it out!

Redline and Vidar Stealers Switch to Ransomware Delivery

The post Redline and Vidar Stealers Switch to Ransomware Delivery appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/redline-and-vidar-ransomware/feed/ 0 17010
Infostealers: How to Detect, Remove and Prevent them? https://gridinsoft.com/blogs/infostealers-detect-remove-prevent/ https://gridinsoft.com/blogs/infostealers-detect-remove-prevent/#respond Fri, 28 Jul 2023 21:59:31 +0000 https://gridinsoft.com/blogs/?p=16379 The flow of information is crucial in today’s world, but it’s also precious to cybercriminals. They target personal data stored on your device through infostealer malware, putting your information at risk. Experts have marked a significant rise in the spread of information-stealing malware, also known as infostealers or stealers. In Q1 2023, the number of… Continue reading Infostealers: How to Detect, Remove and Prevent them?

The post Infostealers: How to Detect, Remove and Prevent them? appeared first on Gridinsoft Blog.

]]>
The flow of information is crucial in today’s world, but it’s also precious to cybercriminals. They target personal data stored on your device through infostealer malware, putting your information at risk. Experts have marked a significant rise in the spread of information-stealing malware, also known as infostealers or stealers. In Q1 2023, the number of incidents has more than doubled, indicating a concerning trend that threatens global organizations.

What is an Infostealer?

Infostealer is malicious software that collects information on a device it has infected and sends it to a threat actor. It explicitly targets login credentials saved in web browsers, browsing history, credit card and cryptocurrency wallet information, location data, device information, emails, social media platforms, and instant messaging clients – anything valuable.

When malware finds a valuable information, it saves the thing into a specifid directory on a disk. Then, at the end of the entire procedure, malware packs this directory and sends to the command server. The most valuable information threat actors seek is account details and banking card information. Also they can use this data or sell it on dark web markets. Infostealer logs are highly profitable on underground marketplaces, indeed it making them a prevalent form of malware.

Stealer Number of available logs
Raccoon 2,114,549
Vidar 1,816,800
RedLine 1,415,458
Total 5,350,640
Number of infostealer logs available for sale on darknet at the end of February 2023.

Around 2020, infostealers got their minute of fame, which keeps going even today, in 2023. Such a surge defined 3 leaders of the “industry” – Racoon, Vidar, and RedLine Stealer. Also security experts have noticed that these types of malware have been utilized to steal ChatGPT accounts. This highlights how cybercriminals use stealers to gain access to individuals’ private information.

RedLine

In March 2020, RedLine appeared on the Russian market and quickly became a top seller in the logs category. This malicious software is designed to steal sensitive information from web browsers, including saved login credentials, autocomplete data, credit card information, and cryptocurrency wallets. Once it infects a system, RedLine thoroughly inventory the username, location data, hardware configuration, and installed security software. It is distributed through various means, including cracked games, applications, services, phishing campaigns, and malicious ads.

RedLine infostealer
RedLine Telegram channel showing prices and deals

Raccoon

In 2019, the Raccoon Stealer was first introduced as a malware-as-a-service (MaaS) model and was promoted on underground forums. Later, scoundrels switched to selling their “product” in Telegram groups. In 2022, Raccoon received a new update whicwhich spruced up the detection evasion mechanismh and added new functionality. Interestingly enough that hackers community tend to dislike this infostealer and sprinkle it with dirt on forums. According to a belief, its admins steal the most “juicy” logs.

Raccoon infostealer
Raccoon Stealer Telegram channel

Vidar

Vidar is a classic example of a hit-and-run infostealer malware. In 2019, Vidar was first noticed during a malvertising campaign where the Fallout exploit kit was employed to disseminate Vidar and GandCrab as secondary payloads. This malicious software is sold as a standalone product on underground forums, and Telegram channels, and it includes an admin panel that allows customers to configure the malware and then keep track of the botnet.

Vidar infostealer
Vidar infostealer admin panel

Also this program is created using C++ and is based on the Arkei stealer. Vidar can extract browser artifacts, contents of specific cryptocurrency wallets, PayPal data, session data, and screenshots. Once done, it performs a so-called meltdown – in other words, simply removes itself from the machine.

Where can I get the infostealer?

Hackers may employ various methods to spread infostealers. Among the most prevalent techniques are different attack vectors, such as:

  • Pirated software
    It is common for hacking groups to include malware with pirated software downloads. Infostealers and other types of malware have been distributed through pirated software before.

  • Malvertising
    It’s common for exploit kits to target websites with malicious advertisements. If you click on one of these ads, you might unknowingly install an infostealer or be redirected to a website with malware available for download. Sometimes just viewing the malicious advertisement is enough to trigger the infostealer download.

  • Compromised system
    As previously mentioned, infostealers are typically installed from a remote location once the attackers successfully access the target system. As a result a compromised system becomes an open book for hackers.

  • Spam
    It is common for malicious individuals to send infostealers through email, often pretending to be a legitimate organization. The infostealer can either be attached directly to the email, or the recipient may be tricked into clicking on a harmful link, leading to the malware download. These spam emails are usually sent to large groups, but sometimes they can be customized for a specific individual or group.

How to Prevent your system from infostealers?

Here are some practices that can help lower the risk of getting infected with an infostealer:

  • Install updates
    One way infostealers can be distributed is by using known browser vulnerabilities. To reduce the risk of this happening, it is vital to install updates for your operating system, browser, and other applications as soon as they become available.
  • Think twice before clicking
    Be careful with opening files and clicking links to avoid infostealers. Because, they often spread through malicious email attachments and harmful websites. Don’t open unsolicited email attachments. Be cautious of emails that don’t address you by name. Check URLs before clicking them.
  • Use multi-factor authentication
    Multi-factor authentication (MFA) is a valuable security feature that protects against unauthorized access to accounts, tools, systems, and data repositories. So, if someone steals your login credentials, MFA requires a secondary form of authentication, making it more difficult for a threat actor to access the compromised account. Secure password storage may be a useful add-on option as well.
  • Avoid pirated software
    It is common for pirated software to contain malware, as it is a way for pirates to earn money. Therefore, it is best to use legitimate applications. Nowadays, there are numerous free, freemium, and open-source alternatives available that eliminate the need to take the risk of using pirated software.
  • Have anti-malware software as a back-up. You never know what trick will hackers do next, and playing what-ifs is a bad idea. For that case, it is better to have a versatile tool on hand, which will help you with detecting and removing malicious programs. GridinSoft Anti-Malware is one you can rely on – give it a try.

The post Infostealers: How to Detect, Remove and Prevent them? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/infostealers-detect-remove-prevent/feed/ 0 16379
Over 100k ChatGPT Accounts Are For Sale on the Darknet https://gridinsoft.com/blogs/over-100k-chatgpt-accounts-compromised/ https://gridinsoft.com/blogs/over-100k-chatgpt-accounts-compromised/#respond Thu, 22 Jun 2023 13:04:13 +0000 https://gridinsoft.com/blogs/?p=15524 According to a new report, over the past year, over 100k ChatGPT users’ accounts have been compromised using malware to steal information. India was in first place for the number of hacked accounts. ChatGPT in a Nutshell Perhaps every active Internet user has at least heard of a chatbot from OpenAI. Is it worth mentioning… Continue reading Over 100k ChatGPT Accounts Are For Sale on the Darknet

The post Over 100k ChatGPT Accounts Are For Sale on the Darknet appeared first on Gridinsoft Blog.

]]>
According to a new report, over the past year, over 100k ChatGPT users’ accounts have been compromised using malware to steal information. India was in first place for the number of hacked accounts.

ChatGPT in a Nutshell

Perhaps every active Internet user has at least heard of a chatbot from OpenAI. Is it worth mentioning that many use it for study or work? This bot can do a lot, for example, give advice, and the recipe for your favorite dishes, find an extra semicolon and comma in the code, or even rewrite the code. Even this text was written by ChatGPT (joke). While some users use ChatGPT as a key generator for Windows, others embed it in their enterprise processes. The latter is most interesting to attackers since ChatGPT saves the entire history of conversations by default.

ChatGPT Accounts Are Compromised by Stealer Malware

According to a new report, 101,134 accounts were compromised by info stealer malware. Researchers found stolen information logs about these credentials illegally sold on darknet marketplaces over the past year. In addition, attackers stole most accounts between June 2022 and May 2023. The epicenter was Asia-Pacific (40.5%), with India (12,632 accounts), Pakistan (9,217 accounts), and Brazil (6,531 accounts). The Middle East and Africa came in second place with 2,925 accounts, followed by Europe in third place with 16,951 accounts. Next comes Latin America with 12,314 accounts, North America with 4,737, and the CIS with 754 accounts. The affiliation of 454 compromised accounts is not specified.

Tools for accounts compromise

As mentioned above, cybercriminals stole information using specific malware, exactly – stealers. This malware is specifically tuned to steal specific information. In this case, the attackers used Raccoon Stealer, who stole 78,348 accounts; Vidar, which stole 1,984 accounts; and Redline Stealer, that stole 6,773 accounts. Although it is widely believed that the Raccoon group has degenerated, this did not prevent it from stealing the most accounts. This is probably because this malware is so widespread that it continues to function even after it has been blocked by more security-conscious organizations by more security-conscious organizations.

Causes

At first glance, it may seem more reasonable to steal bank data. However, there are several reasons for the high demand for ChatGPT accounts. First, the attackers are often in countries where chatbot does not work. Residents of countries such as Russia, Iran, and Afghanistan are trying to access the technology at least that way. Accounts with paid subscriptions are prevalent.

Second, as mentioned initially, many organizations use ChatGPT in their workflows. In addition to the fact that employees often use it and may unknowingly enter sensitive information (this has happened, too), some businesses integrate ChatGPT into their workflow. For example, employees may maintain secret correspondence or use the bot to optimize proprietary code. Because ChatGPT stores the history of user queries and AI responses, this information can be seen by anyone with access to the account. Such accounts are precious on the darknet, and many are willing to pay good money to get them.

Security Recommendations

However, users can reduce the risks associated with compromised ChatGPT accounts. I recommend enabling two-factor authentication and updating your passwords regularly. 2FA will be a pain in the ass and deny attackers from logging into your account even if they know your username and password. Regular password changes are an effective tool against password leaks. Besides, you can disable the “Chat history & training” checkbox or manually clear conversations after each conversation.

How to disable Chat history & training
Click on your email address, then settings. Then follow the instructions in the screenshot.

The post Over 100k ChatGPT Accounts Are For Sale on the Darknet appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/over-100k-chatgpt-accounts-compromised/feed/ 0 15524
RedLine Stealer Issues 100,000 Samples – What is Happening? https://gridinsoft.com/blogs/redline-stealer-100000-samples/ https://gridinsoft.com/blogs/redline-stealer-100000-samples/#respond Mon, 15 May 2023 10:02:02 +0000 https://gridinsoft.com/blogs/?p=14500 Throughout the entire early May 2023, GridinSoft analysts team observed an anomalous activity of RedLine stealer. It is, actually, an activity different from what we used to know. Over 100,000 samples of this malware appeared through the first 12 days of the month – that is too much even for more massive threats. Needless to… Continue reading RedLine Stealer Issues 100,000 Samples – What is Happening?

The post RedLine Stealer Issues 100,000 Samples – What is Happening? appeared first on Gridinsoft Blog.

]]>
Throughout the entire early May 2023, GridinSoft analysts team observed an anomalous activity of RedLine stealer. It is, actually, an activity different from what we used to know. Over 100,000 samples of this malware appeared through the first 12 days of the month – that is too much even for more massive threats. Needless to say for stealer malware such a massive outbreak is confusing, to say the least.

What is RedLine malware?

First, let me remind you what RedLine is. It is a classic infostealer that targets cryptocurrency wallet credentials, browser AutoFill forms, cookies, and credentials from other applications. The most common way of spreading this malware is spear phishing, which contains infected files and phishing links. Another option used by malware masters recently is malvertising through Google Search ads. The latter supposes the creation of a website that replicates the downloading page of a legit free software – like 7zip, OBS Studio or LibreOffice.

Consider reading the full analysis of RedLine Malware in our Threat Encyclopedia

Emerged in early 2020, RedLine had moderate activity throughout its lifespan. The first noticeable activity happened only half a year after the first sample detection – meaning its developers were raising their malware from scratch. But now it made an enormous spike, that peaked on May 7 – over 39,000 samples emerged that day.

RedLine stats
Bar graph of new RedLine stealer samples detection. Early May activity is frankly easy to spot.

What does that mean?

Actually, almost a hundred thousand samples do not correspond to 100,000 victims. RedLine malware toolkit offers sample recompilation and its developers recommend compiling a fresh sample for each attack. That makes every malware unit unique, which makes it way harder to detect by classic anti-virus programs. Encrypting utility, which is also recommended by the malware developers to use, makes it even tougher.

Sure, some of these samples are definitely used in ongoing attacks. RedLine bears on continuous operations and botnet expansions, which requires retaining high infection rates. “Background” activity of this malware is about 1,500 samples a day – meaning most of them are used in actual attacks. Meanwhile, no huge infection spikes were detected recently, at least not of the scale of the sample generation.

The most concerning hypothesis is that RedLine is getting ready for a massive attack. How will this attack be conducted – this is about to be guessed or seen, yet cybercriminals rarely betray their “classic” spreading ways. Email spam, especially precision-made ones, remains very effective and exceptionally cheap – so why would they reinvent the bicycle?

Malicious Campaign through Google Search
Malicious ads in Google Search

Another possible occasion is way less dramatic, yet does not mean that the threat is over. Such a massive sample generation may be an outcome of some tests – for example, ones done to test the compiler, crypto, or other mechanism. Neither me nor any other analyst can know for sure what exactly they test, but these changes may have qualitative differences. The best way to understand what that means is to spectate, fortunately, these maneuvers do not disrupt threat intelligence in any way.

IoC RedLine Stealer

How to stay protected?

I’ve already mentioned preferred spreading ways that RedLine has used since its emergence in 2020. Protective measures should be built around counteracting these methods. And, of course, as the last line of defense, there should be anti-malware software.

Perform a diligent check for each email you receive. It may look like a too paranoid measure for messages, but be aware – it is not about “just emails”. The number of cyberattacks on companies of all sizes done through email spam is terrifying, thus such a threat should not be ignored. Any questionable attachment, link, or strange email address of a sender is a red flag.

Use network monitoring tools. Both active and passive will fit, as RedLine does not apply complicated anti-detection methods. Still, it tries to spoof the traffic path during the C2 communication – and here is where protective solutions shine. Firewalls are much cheaper and easier to set up, but lack reactive response capabilities. Meanwhile, NDR solutions trade their complexity and expense for the ability to intercept even the most novice threats.

Anti-malware software – the last argument of kings. The ideal network security situation is preventing malware from making its way to the live workstation. Though idealism is sometimes synonymous with naivety. For that reason, a thing to back up your security is essential, both if you’re a home user or are connected to the corporate LAN. GridinSoft Anti-Malware is a great choice for home protection, though it will be better to seek a specialized option to protect an entire network.

RedLine Stealer Issues 100,000 Samples – What is Happening?

The post RedLine Stealer Issues 100,000 Samples – What is Happening? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/redline-stealer-100000-samples/feed/ 0 14500
Fake MSI Afterburner Infects Users’ Machines with Miners and Stealers https://gridinsoft.com/blogs/fake-msi-afterburner/ https://gridinsoft.com/blogs/fake-msi-afterburner/#respond Fri, 25 Nov 2022 08:31:56 +0000 https://gridinsoft.com/blogs/?p=12255 According to cybersecurity specialists from Cyble, attackers distribute miners and the RedLine infostealer using download sites for the fake MSI Afterburner utility. Over the past three months, more than 50 such fake resources have appeared on the network. Let me remind you that we also talked that Djvu Ransomware Spreads via Discord, Carrying RedLine Stealer,… Continue reading Fake MSI Afterburner Infects Users’ Machines with Miners and Stealers

The post Fake MSI Afterburner Infects Users’ Machines with Miners and Stealers appeared first on Gridinsoft Blog.

]]>
According to cybersecurity specialists from Cyble, attackers distribute miners and the RedLine infostealer using download sites for the fake MSI Afterburner utility. Over the past three months, more than 50 such fake resources have appeared on the network.

Let me remind you that we also talked that Djvu Ransomware Spreads via Discord, Carrying RedLine Stealer, and also that IS Specialists Discovered a New Version of Malware from Russian Hackers LOLI Stealer.

MSI Afterburner is the most popular GPU overclocking, monitoring and fine-tuning tool that can be used by owners of almost any video card, and thanks to this, it is quite naturally used by millions of gamers around the world.

Alas, the popularity of the utility has made it a good target for cybercriminals who abuse the fame of MSI Afterburner to attack Windows users with powerful graphics cards that can be used for cryptocurrency mining.

The researchers say that the campaign they found used various domains that could be mistaken by users for the official MSI website (besides, such resources were easier to promote using “black hat SEO”). Some of these domains are listed below:

  1. msi-afterburner–download.site
  2. msi-afterburner-download.site
  3. msi-afterburner-download.tech
  4. msi-afterburner-download.онлайн
  5. msi-afterburner-download.store
  6. msi-afterburner-download.ru
  7. msi-afterburner.download
  8. msafterburners.com
  9. msi-afterburnerr.com

Fake MSI Afterburner
Fake site

In other cases, the domains did not attempt to imitate the MSI brand and were likely promoted directly through private messages, forums, and social media:

  1. git[.]git[.]skblxin[.]matrizauto[.]net
  2. git[.]git[.]git[.]skblxin[.]matrizauto[.]net
  3. git[.]git[.]git[.]git[.]skblxin[.]matrizauto[.]net
  4. git[.]git[.]git[.]git[.]git[.]skblxin[.]matrizauto[.]net

Running the fake MSI Afterburner setup file (MSIAfterburnerSetup.msi) from these sites installed the real Afterburner. But at the same time, the installer silently downloaded and launched the RedLine malware, which specializes in data theft, and the XMR miner on the victim’s device.

Once installed, the miner connects to its pool using a hard-coded username and password, and then collects and transmits basic system data to attackers. In this case, the value of CPU max threads is set to 20, exceeding the number of threads even for the most modern processors. That is, the malware is configured to capture all the available power of the infected machine.

At the same time, the malware starts mining cryptocurrency only 60 minutes after the processor goes into standby mode, that is, it makes sure that the infected computer does not perform any resource-intensive tasks and, most likely, was left unattended.

In addition, the miner uses “-cinit-stealth-targets”, which allows it to pause activity and clean up GPU memory when running certain programs listed in the stealth targets section. These can be process monitors, antivirus software, device hardware resource viewers, and other tools that can help the victim detect a malicious process. Experts write that the miner hides in Taskmgr.exe, ProcessHacker.exe, perfmon.exe, procexp.exe and procexp64.exe.

While the miner quietly uses the resources of the victim’s system to mine Monero, the RedLine stealer works in the background, stealing passwords, cookies, browser information and data from any cryptocurrency wallets.

The Cyble report notes that so far, the components of this fake MSI Afterburner are poorly detected by antiviruses. For example, according to VirusTotal, the malicious installation file MSIAfterburnerSetup.msi is detected by only three security products out of 56, and the browser_assistant.exe file by only two products out of 67.

The post Fake MSI Afterburner Infects Users’ Machines with Miners and Stealers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fake-msi-afterburner/feed/ 0 12255
Magnat campaigns delivering fake installers https://gridinsoft.com/blogs/magnat-campaigns-delivering-fake-installers/ https://gridinsoft.com/blogs/magnat-campaigns-delivering-fake-installers/#respond Thu, 23 Dec 2021 14:49:33 +0000 https://gridinsoft.com/blogs/?p=6769 Cyber security specialists warn of the Magnat malicious distribution waves targeted at the potential users of some most popular software. Threat actors use the methods of malvertising to successfully distribute their malicious software installer. The work presents itself especially tricky as it predisposes its victims to a high degree of trust and feeling of legitimacy.… Continue reading Magnat campaigns delivering fake installers

The post Magnat campaigns delivering fake installers appeared first on Gridinsoft Blog.

]]>
Cyber security specialists warn of the Magnat malicious distribution waves targeted at the potential users of some most popular software. Threat actors use the methods of malvertising to successfully distribute their malicious software installer. The work presents itself especially tricky as it predisposes its victims to a high degree of trust and feeling of legitimacy. In malvertising threat actors use keywords related to searched software. And then they present to unknowing users links to download desired software. Specialists point out that in case of such types of threats, security awareness sessions, endpoint protection and network filtering should be in place to guarantee the safety of the system.

The malicious campaigns have been going on for nearly three years

The malicious campaigns have been going on for nearly three years. The malware activity started in 2018 with numerous C2 addresses that threat actors used in every month of activity. However one of the domains stataready[.]icu threat actors used as the MagnatExtension C2 only in January 2019. They still use it in the settings obtained from the C2 servers as the updated C2. In August this year a security researcher mentioned the malvertising campaign on their Twitter page. They posted screenshots of the ads and shared one of the downloaded samples.

Threat actors mostly targeted Canada (50% of the total infections), U.S and Australia. Also they focused their efforts on Norway, Spain and Italy. Cyber security specialists add that authors of the malware regularly improve their works, activity that shows clearly there will be other floods of malicious waves. The malware alone specialists discern one being the password stealer and the other a Chrome extension that works as a banking trojan. The use of the third element of the distributed malware RDP backdoor remains unclear to specialists. The first two may be used to obtain user credentials and further sell them or use for its own future purposes. While the third, RDP, threat actors most likely will use it for further exploitation on systems or sell as RDP access.

In an attack a user would look for a desired software when they come across an ad with a link

In an attack a user would look for a desired software when they come across an ad with a link. It redirects them to a web page where they could download searched software. Attackers named the downloads with different names. It could be nox_setup_55606.exe, battlefieldsetup_76522.exe, wechat-35355.exe, build_9.716-6032.exe, setup_164335.exe and viber-25164.exe. On the execution it won`t install the actual software but instead the malicious loader on the system. The installer in its turn deobfuscates and begins the execution of three malicious payloads: Password Stealer ( Redline or Azorult), Chrome Extension Installer and RDP Backdoor.

Specialists discern the installer/loader as a nullsoft installer that decodes and drops a legitimate AutoIt interpreter or an SFX-7-Zip archive. Here come also three obfuscated AutoIt scripts that decode the final payloads in memory and inject them into the memory to another process. Three specific pieces of malware make up the final payloads :

  • An installer for a chrome extension that includes several malicious features for stealing data from the web browser: keylogger, screenshotter, a form grabber, cookie stealer and arbitrary JavaScript executor;
  • A commodity password stealer. Initially it was Azorult and now it is Redline. Both have functions to steal all the credentials stored on the system. They are universally known across the community;
  • A backdoor, or backdoor installer configures the system for RDP access, adds a new user. And then appoints a scheduled task and recurrently ping the C2. On instruction it creates an outbound ssh tunnel sending on the RDP service.
  • The post Magnat campaigns delivering fake installers appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/magnat-campaigns-delivering-fake-installers/feed/ 0 6769