Tag: ads | Page 2

Tag Archive for: ads

Nitrogen Campaign Starts with Fake Ads, Ends with Ransomware

July 28, 2023/in Internet Security

Threat actors are using bogus advertisements for IT tools on sites like Google and Microsoft’s Bing in hopes of luring tech users to inadvertently download malware that kicks off an attack that eventually leads to ransomware like BlackCat.

The hackers use the Nitrogen malware to get initial access into corporate networks, leading to second stage of the attack, which includes deploying Cobalt Strike Beacons and the Meterpreter shell, a payload designed to let an attacker move through a targeted system and execute code, according to cybersecurity firm Sophos X-Ops team.

“We assess it is likely that the threat actors mean to leverage this infection chain to stage compromised environments for ransomware deployment,” X-Ops researchers Gabor Szappanos, Morgan Demboski, and Benjamin Sollman wrote in a report.

The Nitrogen campaign is only the latest in what the researchers said are an increasingly popular type of attack that abuses click-per-play ads displayed in search engine results. They’ve seen the attackers targeted organizations in the tech and no-profit industries in North America and, given the array of trojanized installers that lead to the infections of systems, “the threat actors are trying to cast a wide net to lure unsuspecting users seeking certain IT utilities, and it is likely this campaign will attempt to impersonate other types of popular software to deliver Nitrogen in future attacks.”

Sophos’ look at the campaign follows on other research by security firms Trend Micro and eSentire, both of which found similar pattern.

It Starts with Malvertising

According to Sophos, the infections begin with the fake ads – malverstising – in Google and Bing Ads in hopes of directing victims to compromised WordPress sites and phishing pages that look like legitimate and popular sites where people can buy software. Instead, they inadvertently download trojanized ISO installers.

Included in the list of software the campaign impersonates are AnyDesk remote desktop app, Cisco AnyConnect VPN installers, and WinSCP, a Windows client. The researchers listed nine trojanized installers deploying the Nitrogen package.

“These applications are often used for business-related…

Source…

‘Nitrogen’ Ransomware Effort Lures IT Pros via Google, Bing Ads

July 26, 2023/in Internet Security

Hackers are planting fake advertisements — “malvertisements” — for popular IT tools on search engines, hoping to ensnare IT professionals and perform future ransomware attacks.

The scheme surrounds pay-per-click ads on sites like Google and Bing, which link to compromised WordPress sites and phishing pages mimicking download pages for software such as AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP. Unsuspecting visitors end up downloading the actual software they intended, alongside a trojanized Python package containing initial access malware, which the attackers then use to drop further payloads.

Researchers from Sophos are calling the campaign “Nitrogen.” It has already touched several technology companies and nonprofits in North America. Though none of the known cases have yet been successful, the researchers noted that “hundreds of brands co-opted for malvertising of this sort across multiple campaigns in recent months.”

“The key thing here is that they’re targeting IT people,” says Christopher Budd, director of Sophos X-Ops. Skipping right to the people closest to an organization’s most sensitive systems, he says, “is actually a fairly efficient and effective way of targeting.”

Honeypots for IT Pros

Search engine surfers who click on a Nitrogen malvertisement will typically end up on a phishing page mimicking the actual download page for the software they’re attempting to download — for example, “winsccp[.]com,” with that extra “c” subtly added in.

In one case, instead of a mere phishing page, the researchers discovered a compromised WordPress site at mypondsoftware[.]com/cisco. The researchers noted that “all other links on the myponsdsoftware[.]com point to legitimate cisco.com Web pages, except for the download link for this particular installer,” which directs to a malicious phishing page.

Hitting “download” on any of these pages will download a trojanized ISO installer, which sideloads a malicious dynamic link library (DLL) file. The DLL file does, in fact, contain the user’s desired software, but also initial access malware.

From here, the malicious attack chain establishes a connection to attacker-controlled command and control (C2) infrastructure, and drops…

Source…

Criminals publish ads for hacking services on US government websites

June 11, 2023/in Computer Security

Cybersecurity researchers from Citizen Lab recently spotted PDF files advertising hacking services, on websites belonging to numerous U.S. government agencies and educational institutions.

As reported by TechCrunch late last week, the PDFs were found on .gov websites belonging to California, North Carolina, New Hampshire, and at least three more states, as well as at least five counties and administrative centers.

Universities such as UC Berkeley, Stanford, Yale, UC San Diego, and countless others, are also said to have had their websites compromised. Spain’s Red Cross, defense contractor Rockwell Collins, as well as an unnamed Irish tourism company, were also affected.

SEO poisoning

In the PDFs, the threat actors advertise various services, including the ability to hack into social media accounts such as Instagram, Facebook, or Snapchat. They also advertise computer game cheats and fake follower generation. Interested parties are invited to open websites listed in the PDFs.

Discussing his findings, researcher John Scott-Railton suggested that these are not the result of a hack, but rather of a threat actor abusing misconfigured servers and content management systems (CMS): “SEO PDF uploads are like opportunistic infections that flourish when your immune system is suppressed. They show up when you have misconfigured services, unpatched CMS bugs, and other security problems,” said Scott-Railton.

> US government wants to learn more from recent major hacks

> Government bodies are at risk online

> US government legal firm Casepoint investigating data breach

TechCrunch visited some of the websites listed in the PDFs and claim that the hacks are most likely fake, and that the entire scheme is just to get people to visit the websites. These sites, the publication claims, come with a fake CAPTCHA which only buys time for the website to generate money in the background.

While the damage of this campaign seems to be almost non-existent, it begs the question of how it was possible for so many government and educational institutions to become compromised; the aftermath could have been much, much worse.

At press time, it is claimed that most of the PDF files have been…

Source…

https://spinsafe.com/wp-content/uploads/2023/06/4d32dd718c1f518f710b12e3eec169e7.jpeg 675 1200 SecureTech https://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svg SecureTech2023-06-11 18:31:132023-06-11 18:31:13Criminals publish ads for hacking services on US government websites

BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads

March 12, 2023/in Computer Security

Mar 11, 2023Ravie LakshmananCyber Threat Intelligence

The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif.

According to cybersecurity company eSentire, malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI’s ChatGPT, Spotify, Tableau, and Zoom.

BATLOADER, as the name suggests, is a loader that’s responsible for distributing next-stage malware such as information stealers, banking malware, Cobalt Strike, and even ransomware.

One of the key traits of the BATLOADER operations is the use of software impersonation tactics for malware delivery.

This is achieved by setting up lookalike websites that host Windows installer files masquerading as legitimate apps to trigger the infection sequence when a user searching for the software clicks a rogue ad on the Google search results page.

These MSI installer files, when launched, execute Python scripts that contain the BATLOADER payload to retrieve the next-stage malware from a remote server.

This modus operandi marks a slight shift from the previous attack chains observed in December 2022, when the MSI installer packages were used to run PowerShell scripts to download the stealer malware.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Other BATLOADER samples analyzed by eSentire have also revealed added capabilities that allow the malware to establish entrenched access to enterprise networks.

“BATLOADER continues to see changes and improvement since it first emerged in 2022,” eSentire said.

“BATLOADER targets various popular applications for impersonation. This is no accident, as these applications are commonly found in business networks and thus, they would yield more valuable footholds for monetization via fraud or hands-on-keyboard intrusions.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source...

[the_ad_group id="27628"]

https://spinsafe.com/wp-content/uploads/2023/03/BATLOADER-Malware-Uses-Google-Ads-to-Deliver-Vidar-Stealer-and.png 380 728 SecureTech https://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svg SecureTech2023-03-12 08:30:072023-03-12 08:30:07BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads