A malvertising operation tricked users by posing as an in-browser Windows update and spreading the Aurora stealer instead. The stealer, written in Golang, has reportedly been available on several hacker forums for over a year. It is marketed as an info-stealer with multiple capabilities and low anti-malware detection.
About the malvertising operation
Experts report that the malvertising operation is based on well-known ads on adult content websites with high traffic, leading potential victims to a location serving malware.
The malicious ads redirect users to seemingly legitimate Windows security updates. The scheme is well-crafted and utilizes a full-screen animation that resembles Microsoft's UI, relying on the web browser to execute it.
The fake security update, known as ChromeUpdate[.]exe, employs a newly discovered loader that has not yet been identified by malware sandboxes, allowing it to evade almost all anti-malware engines.
Unwrapping the FUD malware loader
The Chrome updater is a fully undetectable (FUD) loader called Invalid Printer, which this threat actor especially uses. Despite being uploaded to VirusTotal, no anti-malware engine flagged it as malicious.
Invalid Printer first checks the host’s graphic card to determine if it’s running on a VM or sandbox environment. If not, it unpacks and runs a copy of the Aurora information stealer.
The threat actor seems to be particularly interested in creating hard-to-detect tools and frequently uploads new samples on VirusTotal to test their evasion capabilities.
They further use an Amadey panel, a well-known reconnaissance and malware-loading tool. They also utilized it to run tech support scams in Ukraine.
Conclusion
The malvertising operation highlights how attackers are utilizing innovative tactics, such as a full-screen browser window that simulates a legitimate Windows system update screen. To protect themselves, organizations can implement an ad-blocking solution to prevent malicious ads from appearing. Moreover, the security firm has provided a technical analysis of the malware, its behavior, and IOCs that could help organizations defend themselves against the threat.