‘Taurus’ Malicious Ad Campaign Puts Data At Risk

Matthew Broersma,
HSBC, security, hacking

Drive-by hacking tools plant Taurus data-stealing malware on vulnerable systems, as pandemic raises risk of corporate data being stolen from home computers

A new malicious advertising campaign is being used to spread data-stealing malware including Smoke Loader and Taurus Project, security researchers have said.

Researchers at Malwarebytes said they first noticed the campaign being used to spread Smoke Loader and other malware beginning in late August.

In the past few days the “large” campaign grew to include Taurus Project, said Malwarebytes’ threat intelligence team in an advisory.

Taurus Project is a relatively new malware strain that appeared only in the spring of this year.

The Tech Of Crime Part 2: Policing And DataMalvertising

It was previously spread via malicious bulk emails, targeting users in the United States.

The new malvertising campaign makes Taurus more dangerous, since it can be installed on vulnerable systems that merely view a malicious ad.

The ads are being displayed on adult sites and target mostly visitors from the US, but also Australia and the UK, Malwarebytes said.

The malicious ads use the Fallout exploit kit, a popular drive-by hacking toolkit, which tries to install Taurus via vulnerable versions of Internet Explorer or Adobe Flash Player.

Taurus was originally based on another data-stealing malware tool called “Predator the Thief”.

It has many of the same capabilities as Predator, including the ability to steal login credentials from browsers, FTP, VPN and email clients and cryptocurrency wallets.

Because of the similarities, many security tools detect Taurus as Predator the Thief, Malwarebytes said.

Data theft

Both tools scrape the system for data to steal, then exfiltrate it before loading additional attack tools, such as SystemBC and QBot.

Malwarebytes said it’s becoming increasingly common for malware to combine data theft and the ability to load further malware.

“Stealers are a popular malware payload these days and some families have diversified to become more than plain stealers, not only in terms of advanced features but also as loaders for additional malware,” researchers said.

“Even though the threat actors behind Predator the Thief have appeared to have handed over a fork of their original creation and disappeared, the market for stealers is still very strong.”

Users can protect against drive-by hacking toolkits by keeping their systems up-to-date, since such tools generally rely on known security vulnerabilities that haven’t yet been patched.

Security experts say hacking activity has risen this year, as attackers seek to steal data from staff working from home due to the pandemic.