New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers

New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers

November 9, 2023 at 09:09AM

A malvertising campaign is targeting users searching for CPU-Z by serving malicious ads that redirect them to a fake Windows news portal. The campaign also cloaks itself by showing innocuous content to those not targeted. The rogue website contains a malicious script that deploys RedLine Stealer. Similar deceptive Google Ads have been used in previous malware distribution campaigns. Additionally, a new attack method called Wiki-Slack has been identified, exploiting a quirk in Slack to direct victims to attacker-controlled websites.

Key takeaways from the meeting notes:

– A new malvertising campaign has been discovered that uses fake websites posing as legitimate Windows news portals to distribute a malicious installer for the CPU-Z system profiling tool.
– The campaign also targets other utilities such as Notepad++, Citrix, and VNC Viewer.
– The goal of the campaign is to trick users searching for CPU-Z on search engines by redirecting them to the fake portal.
– The rogue website hosts an MSI installer that contains a malicious PowerShell script known as FakeBat or EugenLoader, which deploys the RedLine Stealer on compromised hosts.
– Similar deceptive Google Ads for popular software have been used as malware distribution vectors in the past.
– Other recent campaigns have utilized drive-by downloads to propagate malware families like NetWire RAT, DarkGate, and DanaBot.
– Threat actors are increasingly relying on phishing kits like NakedPages, Strox, and DadSec to bypass multi-factor authentication and hijack accounts.
– A new method called the Wiki-Slack attack has been identified, involving the manipulation of Slack’s preview feature to direct victims to an attacker-controlled website.
– The Wiki-Slack attack exploits a formatting quirk in Slack and requires specific conditions in the first and second paragraphs of a Wikipedia article.
– Threat actors could further enhance the Wiki-Slack attack by editing Wikipedia pages to deface them and increase the attack surface.

Please note that this summary is based on the provided meeting notes and may not include all details or context.

Full Article