Categories: CyberCrimeSecurity

Malicious Online Ad Campaign Steals User Logins

Attackers are using malicious online advertising to lure targets to download fake installers in a malware campaign aimed at stealing sensitive information such as account logins, security researchers have said.

The campaign, which researchers at Cisco Talos attribute to a group they call “Magnat”, is effective partly because it targets users who are already looking for software to install.

Credentials stolen by the group have been used in further attacks, including ransomware incidents, Cisco said.

The group targets users who are looking for legitimate software, such as Viber or WeChat, or the popular game Battlefield.

Malicious ads

When users search for a particular piece of software, they’re shown a malicious advertisement that leads to the fake installer, Cisco said.

The Magnat campaign dates as far back as late 2018, with about half of users affected being in Canada. US, Australia and some users in EU countries are also affected.

Cisco uses the name “Magnat” as it appears as a username in the build path of the campaign’s bespoke malware.

“Since this threat delivers multiple different payloads, including information stealers, it can pose a significant threat to enterprises,” said Tiago Pereira, Cisco Talos technical lead of security research, in an advisory.

“We have seen the credentials stolen by these stealers act as an initial infection point for larger attacks, including ransomware incidents.”

Backdoor

Once launched, the fake installer plants a password stealer, a “backdoor” that sets up a stealth Microsoft Remote Desktop Protocol (RDP) session, and a malicious browser extension.

The backdoor, called MagnatBackdoor, enables future RDP sessions which the attackers can make use of themselves, or sell to others.

The stolen credentials are also likely to be destined for sale on hacking forum, Cisco said.

The Chrome extension, which Cisco calls MagnatExtension, has been in development since at least August 2018, and includes functions such as a keylogger, the ability to take screenshots of passwords and a browser cookie stealer.

It appears to users as a security feature called “Google’s Safe Browsing”.

Both the extension and the backdoor are custom-developed for the Magnat campaign.

Password theft

The campaign has used a range of commodity password stealers over time, beginning with Azorult and switching to others after Chrome version 80 disabled many of Azorult’s processes in February 2020.

Magnat has been testing replacements including Vidar Stealer, Gozi and Redline Stealer malware.

Pereira advised enterprises to have multiple layers of security controls in place to combat the threat.

“This type of threat can be very effective and requires that several layers of security controls are in place, such as endpoint protection, network filtering and security awareness sessions,” he said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Amazon Alexa Recovers After Morning Outage

Alexa wake up alarm didn't work this morning? Smart lights didn't turn on? Outage of…

1 hour ago

UK, Australia Reach Cyber, Critical Tech Agreement

Australia says it will 'fight back' against nation state cyberattacks, after agreements with the UK…

2 hours ago

Italian Regulator Recalculates Apple, Amazon Fines

Italian regulator admits it has redetermined the fines against Apple and Amazon, over the sale…

19 hours ago

Red Cross ‘Appalled’ As Hackers Steal Humanitarian Data Of 515,000 People

A new low. International Committee of the Red Cross shuts down reunification system, after hackers…

22 hours ago

Russia Proposes Ban On Cryptocurrencies, Crypto Mining

Russia's central bank has this week proposed the banning on the use and mining of…

23 hours ago