#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter

malvertising | Breaking Cybersecurity News | The Hacker News

FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection

FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection

Feb 06, 2023 Malvertising / Data Safety
An ongoing malvertising campaign is being used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel  said  in a technical write-up. The shift to Google malvertising is the latest example of how crimeware actors are  devising alternate delivery routes  to distribute malware ever since Microsoft announced plans to block the execution of macros in Office by default from files downloaded from the internet. Malvertising entails placing rogue search engine advertisements in hopes of tricking users searching for popular software like Blender into downloading the trojanized software. The MalVirt loaders, which are implemented in .NET, use the legitimate  KoiVM  virtualizing protector for .NET applicati
Massive Ad Fraud Scheme Targeted Over 11 Million Devices with 1,700 Spoofed Apps

Massive Ad Fraud Scheme Targeted Over 11 Million Devices with 1,700 Spoofed Apps

Jan 23, 2023 Mobile Security / Malvertising
Researchers have shut down an "expansive" ad fraud scheme that spoofed more than 1,700 applications from 120 publishers and impacted roughly 11 million devices.  "VASTFLUX was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views," fraud prevention firm HUMAN  said . The operation gets its name from the use of a DNS evasion technique called  Fast Flux  and  VAST , a Digital Video Ad Serving Template that's employed to serve ads to video players. The sophisticated operation particularly exploited the restricted in-app environments that run ads on iOS to place bids for displaying ad banners. Should the auction be won, the hijacked ad slot is leveraged to inject rogue JavaScript that establishes contact with a remote server to retrieve the list of apps to be targeted. This includes the  bundle IDs  that belong to leg
cyber security

external linkeBook: 3 Steps to Implement Zero Trust Access

websitewww.cyolo.ioZero Trust Security
Streamline your zero-trust access journey with three simple steps for high-risk, remote, and hybrid users.
New Malvertising Campaign via Google Ads Targets Users Searching for Popular Software

New Malvertising Campaign via Google Ads Targets Users Searching for Popular Software

Dec 29, 2022 Online Security / Malvertising
Users searching for popular software are being targeted by a new malvertising campaign that abuses Google Ads to serve trojanized variants that deploy malware, such as Raccoon Stealer and Vidar. The activity makes use of seemingly credible websites with typosquatted domain names that are surfaced on top of Google search results in the form of malicious ads by hijacking searches for specific keywords. The ultimate objective of such attacks is to  trick   unsuspecting   users  into downloading malevolent programs or potentially unwanted applications. In one campaign disclosed by Guardio Labs, threat actors have been observed creating a network of benign sites that are promoted on the search engine, which when clicked, redirect the visitors to a phishing page containing a trojanized ZIP archive hosted on Dropbox or OneDrive. "The moment those 'disguised' sites are being visited by targeted visitors (those who actually click on the promoted search result) the server imme
New Malvertising Campaigns Spreading Backdoors, Malicious Chrome Extensions

New Malvertising Campaigns Spreading Backdoors, Malicious Chrome Extensions

Dec 03, 2021
A series of malicious campaigns have been leveraging fake installers of popular apps and games such as Viber, WeChat, NoxPlayer, and Battlefield as a lure to trick users into downloading a new backdoor and an undocumented malicious Google Chrome extension with the goal of stealing credentials and data stored in the compromised systems as well as maintaining persistent remote access. Cisco Talos attributed the malware payloads to an unknown actor that goes by the alias " magnat ," noting that "these two families have been subject to constant development and improvement by their authors." The attacks are believed to have commenced in late 2018, with intermittent activity observed towards the end of 2019 and through early 2020, followed by fresh spikes since April 2021, while mainly singling out users in Canada, followed by the U.S., Australia, Italy, Spain, and Norway. A noteworthy aspect of the intrusions is the use of malvertising as a means to strike individua
Malicious Ads Target Cryptocurrency Users With Cinobi Banking Trojan

Malicious Ads Target Cryptocurrency Users With Cinobi Banking Trojan

Aug 17, 2021
A new social engineering-based malvertising campaign targeting Japan has been found to deliver a malicious application that deploys a banking trojan on compromised Windows machines to steal credentials associated with cryptocurrency accounts. The application masquerades as an animated porn game, a reward points application, or a video streaming application, Trend Micro researchers Jaromir Horejsi and Joseph C Chen  said  in an analysis published last week, attributing the operation to a threat actor it tracks as Water Kappa, which was  previously found  targeting Japanese online banking users with the Cinobi trojan by leveraging exploits in Internet Explorer browser. The switch in tactics is an indicator that the adversary is singling out users of web browsers other than Internet Explorer, the researchers added. Water Kappa's latest infection routine commences with malvertisements for either Japanese animated porn games, reward points apps, or video streaming services, with t
120 Compromised Ad Servers Target Millions of Internet Users

120 Compromised Ad Servers Target Millions of Internet Users

Apr 20, 2021
An ongoing malvertising campaign tracked as "Tag Barnakle" has been behind the breach of more than 120 ad servers over the past year to sneakily inject code in an attempt to serve malicious advertisements that redirect users to rogue websites, thus exposing victims to scamware or malware. Unlike other operators who set about their task by infiltrating the ad-tech ecosystem using "convincing personas" to buy space on legitimate websites for running the malicious ads, Tag Barnakle is "able to bypass this initial hurdle completely by going straight for the jugular — mass compromise of ad serving infrastructure,"  said  Confiant security researcher Eliya Stein in a Monday write-up. The development follows a year after the Tag Barnakle actor was found to have  compromised nearly 60 ad servers  in April 2020, with the infections primarily targeting an open-source advertising server called Revive. The latest slew of attacks is no different, although the adve
Google Removes 21 Malicious Android Apps from Play Store

Google Removes 21 Malicious Android Apps from Play Store

Oct 27, 2020
Google has stepped in to remove several Android applications from the official Play Store following the disclosure that the apps in question were found to serve intrusive ads. The findings were  reported  by the Czech cybersecurity firm Avast on Monday, which said the 21 malicious apps (list  here ) were downloaded nearly eight million times from Google's app marketplace. The apps masqueraded as harmless gaming apps and came packed with  HiddenAds  malware, a notorious Trojan known for its capabilities to serve intrusive ads outside of the app. The group behind the operation relies on social media channels to lure users into downloading the apps. Earlier this June, Avast discovered a  similar HiddenAds campaign  involving 47 gaming apps with over 15 million downloads that were leveraged to display device-wide intrusive ads. "Developers of adware are increasingly using social media channels, like regular marketers would," Avast's Jakub Vávra said. "This time
Over A Billion Malicious Ad Impressions Exploit WebKit Flaw to Target Apple Users

Over A Billion Malicious Ad Impressions Exploit WebKit Flaw to Target Apple Users

Oct 01, 2019
The infamous eGobbler hacking group that surfaced online earlier this year with massive malvertising campaigns has now been caught running a new campaign exploiting two browser vulnerabilities to show intrusive pop-up ads and forcefully redirect users to malicious websites. To be noted, hackers haven't found any way to run ads for free; instead, the modus operandi of eGobbler attackers involves high budgets to display billions of ad impressions on high profile websites through legit ad networks. But rather than relying on visitors' willful interaction with advertisements online, eGobbler uses browser (Chrome and Safari) exploits to achieve maximum click rate and successfully hijack as many users' sessions as possible. In its previous malvertising campaign, eGobbler group was exploiting a then-zero-day vulnerability (CVE-2019-5840) in Chrome for iOS back in April , which allowed them to successfully bypass browser's built-in pop-up blocker on iOS devices and hij
Python-Based Adware Evolves to Install Malicious Browser Extensions

Python-Based Adware Evolves to Install Malicious Browser Extensions

Jun 26, 2018
Security researchers have been warning of a few newly detected variants of python -based adware that are being distributed in the wild not only to inject ads but also found installing malicious browser extensions and hidden cryptocurrency miner into victims' computers. Dubbed PBot , or PythonBot , the adware was first uncovered more than a year ago, but since then the malware has evolved, as its authors have been trying different money-making schemes to profit themselves, according to researchers at Kaspersky Labs. The previous versions of the PBot malware were designed to perform man-in-the-browser (MITB) attacks to inject unwanted advertising scripts on web pages visited by the victim, but the newer variants have been found installing malicious ad extensions in the web browser. "Developers are constantly releasing new versions of this modification, each of which complicates the script obfuscation," Kaspersky researchers said in their blog post published today.
Warning: Millions Of P0rnHub Users Hit With Malvertising Attack

Warning: Millions Of P0rnHub Users Hit With Malvertising Attack

Oct 10, 2017
Researchers from cybersecurity firm Proofpoint have recently discovered a large-scale malvertising campaign that exposed millions of Internet users in the United States, Canada, the UK, and Australia to malware infections. Active for more than a year and still ongoing, the malware campaign is being conducted by a hacking group called KovCoreG , which is well known for distributing Kovter ad fraud malware that was used in 2015 malicious ad campaign s, and most recently earlier in 2017 . The KovCoreG hacking group initially took advantage of P0rnHub—one of the world's most visited adult websites—to distribute fake browser updates that worked on all three major Windows web browsers, including Chrome, Firefox, and Microsoft Edge/Internet Explorer. According to the Proofpoint researchers, the infections in this campaign first appeared on P0rnHub web pages via a legitimate advertising network called Traffic Junky, which tricked users into installing the Kovtar malware onto the
DNSChanger Malware is Back! Hijacking Routers to Target Every Connected Device

DNSChanger Malware is Back! Hijacking Routers to Target Every Connected Device

Dec 17, 2016
Next time when you see an advertisement of your favorite pair of shoes on any website, even if it is legitimate, just DO NOT CLICK ON IT. …Because that advertising could infect you in such a way that not just your system, but every device connected to your network would get affected. A few days ago, we reported about a new exploit kit, dubbed Stegano , that hides malicious code in the pixels of banner advertisements rotating on several high profile news websites. Now, researchers have discovered that attackers are targeting online users with an exploit kit called DNSChanger that is being distributed via advertisements that hide malicious code in image data. Remember DNSChanger? Yes, the same malware that infected millions of computers across the world in 2012. DNSChanger works by changing DNS server entries in infected computers to point to malicious servers under the control of the attackers, rather than the DNS servers provided by any ISP or organization. So, wheneve
Malvertising Campaign Hits Top Websites to Spread Ransomware

Malvertising Campaign Hits Top Websites to Spread Ransomware

Mar 18, 2016
Hackers are always in search for an elite method to create loopholes in the cyberspace to implement the dark rules in the form of vulnerability exploitation. Top Trustworthy sites such as The New York Times , BBC , MSN , AOL and many more are on the verge of losing their face value as a malwertized advertisement campaign are looming around the websites, according to SpiderLabs. Here's what Happens to Users when Clicking Ads on these Big Brand Sites: The advertisements on the legit sites trick users into clicking on it, making them believe that these circulated ads come from a trusted networks. Once clicked, the malicious Ad redirects the user to a malicious website that hosts Angler Exploit Kit (AEK) to infect visitors by installing malware and ransomware on their computer. Angler Exploit Kit includes many malicious hacking tools and zero-day exploits that let hackers execute drive-by attacks on visitors' computers. In this case, the Angler kit scan
Hackers Install Free SSL Certs from Let's Encrypt On Malicious Web Sites

Hackers Install Free SSL Certs from Let's Encrypt On Malicious Web Sites

Jan 07, 2016
Who else didn't see this coming? It was so obvious as I stressed earlier that the  Let's Encrypt free HTTPS certificates would not just help legitimate website operators to encrypt its users' traffic, but also help criminals to bother innocent users with malware through secure sites. Let's Encrypt allows anyone to obtain free SSL/TLS ( Secure Socket Layer/Transport Layer Security ) certificates for their web servers that encrypt all the Internet traffic passed between a server and users. Let's Encrypt is recognized by all major browsers, including Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer. The organization started offering Free HTTPS certs to everyone from last month, and it is very easy for anyone to set up an HTTPS website in a few simple steps ( How to Install Free SSL Cert ). However, the most bothersome part is that Let's Encrypt free SSL certs are not only used by website owners to secure its
Cybersecurity Resources