Over the past months, there has been an increase in the abuse of Google ads to distribute various malware. Threat actors have often been leveraging the platform to promote fake websites on legit software and application updates to trick unsuspecting users into downloading malware onto their systems.
One such case wherein attackers are abusing the platform to propagate a new malware, dubbed LOBSHOT, has come to notice recently. Based on the analysis, researchers claim that the infrastructure belongs to TA505, the well-known cybercriminal group associated with Dridex, Locky, and Necurs campaigns.
About the campaign
Earlier this year, Elastic Security Labs observed a multiple infection chain campaign that targeted users searching for legitimate software downloads on Google.
In one incident, a malicious ad promoting AnyDesk remote application was found being promoted on the Google search engine.
The landing pages looked very similar to that of the original website and included a ‘Download Now’ button that pointed to an MSI installer.
Once the users clicked on the button, it caused the execution of the LOBSHOT malware on systems without their knowledge.
Cliff notes on LOBSHOT
LOBSHOT appears to be leveraged for financial purposes employing banking trojan, cryptocurrency, and information-stealing capabilities.
It targets 32 Chrome extensions, nine Edge wallet extensions, and 11 Firefox wallet extensions, enabling threat actors to steal cryptocurrency asssets.
One of the core capabilities of the malware is around its Hidden Virtual Network Computing (hVNC) component, which makes it difficult to be detected by antivirus solutions.
End note
The distribution of malware such as LOBSHOT via malvertising campaigns indicates that cybercriminals will continue to explore the technique to expand their attacks. While this kind of malware is yet to expand its attack scope but ends up packing significant functionality, which helps threat actors to move quickly during the initial stage, allowing them to gain full control over systems remotely.