Password-stealing and keylogging malware spread via fake downloads

Cybercriminals are using online advertisements for fake versions of popular software to trick users into downloading three forms of malware – including a malicious browser extension with the same abilities as Trojan horse malware – which provide attackers usernames and passwords, and remote backdoor access to infected Windows PCs.

The attacks, which distribute two seemingly undocumented forms of custom-developed malware, were detailed by Cisco Talos cybersecurity researchers who named the campaign ‘tycoon’. It appears that the campaign has been working to some extent since 2018 and the malware is under continuous development.

More than half of the victims are in Canada, but there have also been victims around the world, including in the United States, Europe, Australia and Nigeria.

TO SEE: A winning strategy for cybersecurity (ZDNet special report)

Researchers believe that victims are tricked into downloading the malware via malicious advertisements – malicious online advertisements – which trick them into downloading bogus installers of popular software onto their systems. Users are likely to search for legitimate versions of software, but are directed to malicious versions by advertisements.

Some of the software users are tricked into downloading include fake versions of messaging apps such as Viber and WeChat, as well as fake installers for popular video games like Battlefield.

The installer does not install the advertised software, but instead installs three forms of malware: a password stealer, a backdoor, and a malicious browser extension, which enables keylogging and taking screenshots of what the infected user is looking at.

The distributed password stealer in the attacks is known as Redline, a relatively common piece of malware that steals all usernames and passwords it finds on the infected system. Magnate previously distributed another password stealer, Azorult. The switch to Redline is likely because Azorult, like many other forms of malware, stopped working properly after the release of Chrome 80 in February 2020.

While password stealers are both off-the-shelf malware, the previously undocumented backdoor installer – which the researchers called MagnatBackdoor – appears to be a more bespoke form of malware that has been distributed since 2019, although there were times when distribution stopped for months.

MagnatBackdoor configures the infected Windows system to allow stealth Remote Desktop Protocol (RDP) access, as well as adding a new user and scheduling the system to ping a command and control server run by attackers at regular intervals. The backdoor allows the attackers to secretly access the PC remotely when needed.

The third payload is a downloader for a malicious Google Chrome extension, which researchers have named MagnatExtension. The extension is delivered by the attackers and is not from the Chrome Extension Store.

SEE: Hackers are turning to this simple technique to install their malware on PCs

This extension contains various ways to steal data directly from the web browser, including the ability to take screenshots, steal cookies, steal information entered in forms, as well as a keylogger, which records anything the user types in the browser. All of this information is then sent back to the attackers.

The researchers compared the capabilities of the extension to a banking Trojan. They suggest that the ultimate goal of the malware is to obtain user credentials, either to sell them on the dark web or for further exploitation by attackers. The cybercriminals behind MagnatBackdoor and MagnatExtension have spent years developing and updating the malware and it is expected to continue.

“Both of these families have been the subject of constant development and improvement by their authors – this is probably not the last we hear about them,” said Tiago Pereira, security researcher at Cisco Talos. .

“We believe that these campaigns use malvertising as a way to reach users interested in software-related keywords and present them with links to download popular software. This type of threat can be very effective and requires implementation implementation of multiple layers of security controls, such as endpoint protection, network filtering, and security awareness sessions,” he added.


Sam D. Gomez