People tend to be less guarded when they’re dealing with something familiar. Digital attackers know this, which explains why they set up malware behind ads pretending to be for Microsoft Store products and Spotify.
Bleeping Computer learned from ESET that the attackers were using malicious advertisements as part of their attack chain. Once clicked, those ads sent users to the Spotify or Microsoft Store scam websites harboring samples of the Ficker stealer family.
Read on to learn how these websites enticed visitors to infect themselves with malware.
Want a Legit App? Well, Here’s Some Malware Instead…
The attackers used malicious ads to lure in users with promotions for real apps.
Security researchers spotted one ad promoting an online chess app, for example. When clicked, the ad sent users to a fake Microsoft Store page. Clicking on the ‘Download Free’ button retrieved a malware payload disguised as xChess_v.709.zip from an Amazon AWS server.
Some of the other malicious ads directed users to a landing page offering a free bundle of Spotify Music and YouTube Premium for 90 days. No such bundle existed as of this writing.
The website then instructed visitors to click on a ‘Download Free App (1 MB)’ button. It’s worth noting that no music player is that small in size. At this time, the actual size of the real Spotify mobile and desktop apps was at least 150 MB.
Both of those apps downloaded Ficker onto a victim’s device. This malware is capable of stealing users’ passwords, taking screenshots of their computers and lifting documents.
Other Recent Attacks Involving Ficker
Malware analysts took to Twitter to expose Ficker in October 2020. At that time, they observed the malware developer renting out Ficker on Russian-speaking cracker forums.
In the months that followed, researchers learned more about how the digital threat works and observed the malware in action. One of the first eureka moments came from Minerva in early March, when its researchers witnessed Ficker download the Kronos RAT in a lab setting.
A few weeks later, Infoblox detected a malspam campaign that used DocuSign-themed lures to install the Hancitor Trojan…