A series of malicious campaigns have been leveraging fake installers of popular apps and games such as Viber, WeChat, NoxPlayer, and Battlefield as a lure to trick users into downloading a new backdoor and an undocumented malicious Google Chrome extension with the goal of stealing credentials and data stored in the compromised systems as well as maintaining persistent remote access.
Cisco Talos attributed the malware payloads to an unknown actor that goes by the alias "magnat," noting that "these two families have been subject to constant development and improvement by their authors."
The attacks are believed to have commenced in late 2018, with intermittent activity observed towards the end of 2019 and through early 2020, followed by fresh spikes since April 2021, while mainly singling out users in Canada, followed by the U.S., Australia, Italy, Spain, and Norway.
A noteworthy aspect of the intrusions is the use of malvertising as a means to strike individuals who are looking for popular software on search engines to present them links to download fake installers that drop a password stealer called RedLine Stealer, a Chrome extension dubbed "MagnatExtension" that's programmed to record keystrokes and capture screenshots, and an AutoIt-based backdoor that establishes remote access to the machine.
The extension's command-and-control (C2) communications stand out as well. While the C2 address is hard-coded, it can also be updated by the current C2 with a list of additional C2 domains. But in the event of failure, it falls back to an alternate method that involves obtaining a new C2 address from a Twitter search for hashtags like "#aquamamba2019" or "#ololo2019."
The domain name is then constructed from the accompanying tweet text by concatenating the first letter of each word, meaning a tweet with the content "Squishy turbulent areas terminate active round engines after dank years. Industrial creepy units" and containing the hashtag "#aquamamba2019" is translated to "stataready[.]icu."
Once an active command-and-control server becomes available, the vacuumed data — browser history, cookies, form data, keystrokes, and screenshots — is exfiltrated in the form of an encrypted JSON string in the body of an HTTP POST request, the encryption key to which is hard-coded in the decryption function. The encryption key, in turn, is encrypted with the server's public key.
"Based on the use of password stealers and a Chrome extension that is similar to a banking trojan, we assess that the attacker's goals are to obtain user credentials, possibly for sale or for his own use in further exploitation," Cisco Talos researcher Tiago Pereira said.
"The motive for the deployment of an RDP backdoor is unclear. The most likely are the sale of RDP access, the use of RDP to work around online service security features based on IP address or other endpoint installed tools or the use of RDP for further exploitation on systems that appear interesting to the attacker."