#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

malvertising | Breaking Cybersecurity News | The Hacker News

Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Crypto and Credentials

Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Crypto and Credentials
Feb 06, 2024 Social Engineering / Malvertising
Threat actors are leveraging bogus Facebook job advertisements as a lure to trick prospective targets into installing a new Windows-based stealer malware codenamed  Ov3r_Stealer . "This malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors," Trustwave SpiderLabs said in a report shared with The Hacker News. Ov3r_Stealer is capable of siphoning IP address-based location, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products installed on the compromised host. While the exact end goal of the campaign is unknown, it's likely that the stolen information is offered for sale to other threat actors. Another possibility is that Ov3r_Stealer could be updated over time to act as a  QakBot-like loader  for additional payloads, including ransomware. The starting point of the attack is a weapo

Malicious Ads on Google Target Chinese Users with Fake Messaging Apps

Malicious Ads on Google Target Chinese Users with Fake Messaging Apps
Jan 26, 2024 Malvertising / Phishing-as-a-service
Chinese-speaking users have been targeted by malicious Google ads for restricted messaging apps like Telegram as part of an ongoing malvertising campaign. "The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead," Malwarebytes' Jérôme Segura  said  in a Thursday report. "Such programs give an attacker full control of a victim's machine and the ability to drop additional malware." It's worth noting that the activity, codenamed  FakeAPP , is a continuation of a  prior attack wave  that targeted Hong Kong users searching for messaging apps like WhatsApp and Telegram on search engines in late October 2023. The latest iteration of the campaign also adds messaging app LINE to the list of messaging apps, redirecting users to bogus websites hosted on Google Docs or Google Sites. The Google infrastructure is used to embed link

Cybersecurity Tactics FinServ Institutions Can Bank On in 2024

Cybersecurity Tactics FinServ Institutions Can Bank On in 2024
Feb 14, 2024Financial Security / Cyber Threats
The landscape of cybersecurity in financial services is undergoing a rapid transformation. Cybercriminals are exploiting advanced technologies and methodologies, making traditional security measures obsolete. The challenges are compounded for community banks that must safeguard sensitive financial data against the same level of sophisticated threats as larger institutions, but often with more limited resources. The FinServ Threat Landscape Recent trends show an alarming increase in sophisticated cyber-attacks. Cybercriminals now deploy advanced techniques like deep fake technology and AI-powered attacks, making it increasingly difficult for banks to differentiate between legitimate and malicious activities. These developments necessitate a shift towards more sophisticated and adaptive cybersecurity measures. Take these industry statistics, for example. Financial firms report 703 cyberattack attempts per week.1 On average, 270 attacks (entailing unauthorized access of data, appl

Atomic Stealer Gets an Upgrade - Targeting Mac Users with Encrypted Payload

Atomic Stealer Gets an Upgrade - Targeting Mac Users with Encrypted Payload
Jan 11, 2024 Malvertising / Cyber Attacks
Cybersecurity researchers have identified an updated version of a macOS information stealer called  Atomic  (or AMOS), indicating that the threat actors behind the malware are actively enhancing its capabilities. "It looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption in an effort to bypass detection rules," Malwarebytes' Jérôme Segura  said  in a Wednesday report. Atomic Stealer  first emerged  in April 2023 for a monthly subscription of $1,000. It's capable of harvesting sensitive information from a compromised host, including Keychain passwords, session cookies, files, crypto wallets, system metadata, and the machine's password via a fake prompt. Over the past several months, the malware has been observed propagated via  malvertising  and  compromised sites  under the guise of legitimate software and web browser updates. Malwarebytes' latest analysis shows that Atomic Stealer is no

The Critical State of AI in the Cloud

cyber security
websiteWiz.ioArtificial Intelligence / Cloud Security
Wiz Research reveals the explosive growth of AI adoption and what 150,000+ cloud accounts revealed about the AI surge.

Beware: Scam-as-a-Service Aiding Cybercriminals in Crypto Wallet-Draining Attacks

Beware: Scam-as-a-Service Aiding Cybercriminals in Crypto Wallet-Draining Attacks
Dec 30, 2023 Cryptocurrency / Phishing Scam
Cybersecurity researchers are warning about an increase in phishing attacks that are capable of draining cryptocurrency wallets. "These threats are unique in their approach, targeting a wide range of blockchain networks, from Ethereum and Binance Smart Chain to Polygon, Avalanche, and almost 20 other networks by using a crypto wallet-draining technique," Check Point researchers Oded Vanunu, Dikla Barda, and Roman Zaikin  said . A prominent contributor to this troubling trend is a notorious phishing group called Angel Drainer, which advertises a "scam-as-a-service" offering by charging a percentage of the stolen amount,  typically 20% or 30% , from its collaborators in return for providing wallet-draining scripts and other services. In late November 2023, a similar wallet-draining service known as Inferno Drainer announced that it was  shutting down its operations  for good after helping scammers plunder over $70 million worth of crypto from 103,676 victims sinc

New Malvertising Campaign Distributing PikaBot Disguised as Popular Software

New Malvertising Campaign Distributing PikaBot Disguised as Popular Software
Dec 19, 2023 Malvertising / Browser Security
The malware loader known as PikaBot is being distributed as part of a  malvertising   campaign  targeting users searching for legitimate software like AnyDesk. "PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577," Malwarebytes' Jérôme Segura  said . The malware family, which  first   appeared  in early 2023, consists of a loader and a core module that allows it to operate as a backdoor as well as a distributor for other payloads. This  enables  the threat actors to gain unauthorized remote access to compromised systems and transmit commands from a command-and-control (C2) server, ranging from arbitrary shellcode, DLLs, or executable files, to other malicious tools such as Cobalt Strike. One of the threat actors leveraging PikaBot in its attacks is  TA577 , a prolific cybercrime threat actor that has, in the past, delivered QakBot, IcedID, SystemBC, SmokeLoad

Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware

Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware
Dec 04, 2023 Ransomware / Cyber Attack
Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector. The DanaBot infections led to "hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware," the Microsoft Threat Intelligence team  said  in a series of posts on X (formerly Twitter). DanaBot , tracked by the tech giant as Storm-1044, is a multi-functional tool along the lines of Emotet, TrickBot, QakBot, and IcedID that's capable of acting as a stealer and a point of entry for next-stage payloads. UNC2198, for its part, has been previously observed infecting endpoints with IcedID to deploy ransomware families such as Maze and Egregor, as  detailed  by Google-owned Mandiant in February 2021. Per Microsoft, the threat actor has also taken advantage of initial access provided by QakBot infections. The shift to DanaBot, therefore, is likely the resu

Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware

Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware
Nov 17, 2023 Malvertising / Malware
Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead. Cybersecurity company Securonix is tracking the ongoing activity under the name  SEO#LURKER . "The malicious advertisement directs the user to a compromised WordPress website gameeweb[.]com, which redirects the user to an attacker-controlled phishing site," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov  said  in a report shared with The Hacker News. The threat actors are believed to leverage Google's Dynamic Search Ads ( DSAs ), which automatically generates ads based on a site's content to serve the malicious ads that take the victims to the infected site. The ultimate goal of the complex multi-stage attack chain is to entice users into clicking on the fake, lookalike WinSCP website, winccp[.]net, and download the malware. "Traffic from the gaweeweb[.]com website to the fake

New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers

New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers
Nov 09, 2023 Endpoint Security / Malware
A new  malvertising campaign  has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z. "This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection," Malwarebytes' Jérôme Segura  said . While malvertising campaigns are known to set up replica sites advertising widely-used software, the latest activity marks a deviation in that the website mimics WindowsReport[.]com. The goal is to trick unsuspecting users searching for CPU-Z on search engines like Google by serving malicious ads that, when clicked, redirect them to the fake portal (workspace-app[.]online). At the same time, users who are not the intended victims of the campaign are served an innocuous blog with different articles, a technique known a

Experts Expose Farnetwork's Ransomware-as-a-Service Business Model

Experts Expose Farnetwork's Ransomware-as-a-Service Business Model
Nov 08, 2023 Cyber Threat / Endpoint Security
Cybersecurity researchers have unmasked a prolific threat actor known as farnetwork, who has been linked to five different ransomware-as-a-service (RaaS) programs over the past four years in various capacities. Singapore-headquartered Group-IB, which attempted to infiltrate a private RaaS program that uses the  Nokoyawa   ransomware  strain, said it underwent a "job interview" process with the threat actor, learning several valuable insights into their background and role within those RaaS programs. "Throughout the threat actor's cybercriminal career, which began in 2019, farnetwork has been involved in several connected ransomware projects, including JSWORM, Nefilim, Karma, and Nemty, as part of which they helped develop ransomware and manage the RaaS programs before launching their own RaaS program based on Nokoyawa ransomware," Nikolay Kichatov, threat intelligence analyst at Group-IB,  said . The latest disclosure comes nearly six months after the cyber

New Jupyter Infostealer Version Emerges with Sophisticated Stealth Tactics

New Jupyter Infostealer Version Emerges with Sophisticated Stealth Tactics
Nov 06, 2023 Data Security / Malvertising
An updated version of an information stealer malware known as  Jupyter  has resurfaced with "simple yet impactful changes" that aim to stealthily establish a persistent foothold on compromised systems. "The team has discovered new waves of Jupyter Infostealer attacks which leverage PowerShell command modifications and signatures of private keys in attempts to pass off the malware as a legitimately signed file," VMware Carbon Black researchers  said  in a report shared with The Hacker News. Jupyter Infostealer , also known as Polazert , SolarMarker, and Yellow Cockatoo, has a  track record  of leveraging manipulated search engine optimization (SEO) tactics and malvertising as an initial access vector to trick users searching for popular software into downloading it from dubious websites. It comes with capabilities to harvest credentials as well as establish encrypted command-and-control (C2) communication to exfiltrate data and execute arbitrary commands. The la

Trojanized PyCharm Software Version Delivered via Google Search Ads

Trojanized PyCharm Software Version Delivered via Google Search Ads
Oct 31, 2023 Malvertising / Threat Intelligence
A new  malvertising campaign  has been observed capitalizing on a compromised website to promote spurious versions of PyCharm on Google search results by leveraging Dynamic Search Ads. "Unbeknownst to the site owner, one of their ads was automatically created to promote a popular program for Python developers, and visible to people doing a Google search for it," Jérôme Segura, director of threat intelligence at Malwarebytes,  said  in a report. "Victims who clicked on the ad were taken to a hacked web page with a link to download the application, which turned out to install over a dozen different pieces of malware instead." The infected website in question is an unnamed online portal that specializes in wedding planning, which had been injected with malware to serve bogus links to the PyCharm software. The execution of the PyCharm installer results in the deployment of several stealer and loader families, such as Amadey, PrivateLoader, RedLine, Stealc, and Vid

Malvertising Campaign Targets Brazil's PIX Payment System with GoPIX Malware

Malvertising Campaign Targets Brazil's PIX Payment System with GoPIX Malware
Oct 25, 2023 Malvertising / Banking Trojan
The popularity of Brazil's  PIX  instant payment system has made it a  lucrative target for threat actors  looking to generate illicit profits using a new malware called GoPIX . Kaspersky, which has been tracking the active campaign since December 2022, said the attacks are pulled off  using malicious ads  that are served when potential victims search for "WhatsApp web" on search engines. "The cybercriminals employ malvertising: their links are placed in the ad section of the search results, so the user sees them first," the Russian cybersecurity vendor  said . "If they click such a link, a redirection follows, with the user ending up on the malware landing page." As other malvertising campaigns observed recently, users who click on the ad will be redirected via a cloaking service that is meant to filter sandboxes, bots, and others not deemed to be genuine victims. This is accomplished by using a legitimate fraud prevention solution known as  IPQu

Malvertisers Using Google Ads to Target Users Searching for Popular Software

Malvertisers Using Google Ads to Target Users Searching for Popular Software
Oct 20, 2023 Malvertising / Cyber Threat
Details have emerged about a malvertising campaign that leverages Google Ads to direct users searching for popular software to fictitious landing pages and distribute next-stage payloads. Malwarebytes, which discovered the activity,  said  it's "unique in its way to fingerprint users and distribute time sensitive payloads." The attack singles out users searching for Notepad++ and PDF converters to serve bogus ads on the Google search results page that, when clicked, filters out bots and other unintended IP addresses by showing a decoy site. Should the visitor be deemed of interest to the threat actor, the victim is redirected to a replica website advertising the software, while silently fingerprinting the system to determine if the request is originating from a virtual machine. Users who fail the check are taken to the legitimate Notepad++ website, while a potential target is assigned a unique ID for "tracking purposes but also to make each download unique and t

Microsoft's AI-Powered Bing Chat Ads May Lead Users to Malware-Distributing Sites

Microsoft's AI-Powered Bing Chat Ads May Lead Users to Malware-Distributing Sites
Sep 29, 2023 Artificial Intelligence / Malware
Malicious ads served inside Microsoft Bing's artificial intelligence (AI) chatbot are being used to distribute malware when searching for popular tools. The findings come from Malwarebytes, which revealed that unsuspecting users can be tricked into visiting booby-trapped sites and installing malware directly from Bing Chat conversations. Introduced by Microsoft in February 2023, Bing Chat is an  interactive search experience  that's powered by OpenAI's large language model called  GPT-4 . A month later, the tech giant  began   exploring  placing ads in the conversations. But the move has also opened the doors for threat actors who resort to malvertising tactics and propagate malware. "Ads can be inserted into a Bing Chat conversation in various ways," Jérôme Segura, director of threat intelligence at Malwarebytes,  said . "One of those is when a user hovers over a link and an ad is displayed first before the organic result." In an example highligh

Mac Users Beware: Malvertising Campaign Spreads Atomic Stealer macOS Malware

Mac Users Beware: Malvertising Campaign Spreads Atomic Stealer macOS Malware
Sep 07, 2023 Malvertising / Endpoint Security
A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called  Atomic Stealer  (or AMOS), indicating that it's being actively maintained by its author. An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer  first came  to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering features were detected in the wild, targeting gamers and cryptocurrency users. Malvertising via Google Ads has been observed as the primary distribution vector in which users searching for popular software, legitimate or cracked, on search engines are shown bogus ads that direct to websites hosting rogue installers. The latest campaign involves the use of a fraudulent website for TradingView, prominently featuring three buttons to download the software for Windows, macOS, and Linux operating systems. "Both the Windows and Linux buttons point to an MSIX installer hosted on Discord that drops

Vietnamese Cybercriminals Targeting Facebook Business Accounts with Malvertising

Vietnamese Cybercriminals Targeting Facebook Business Accounts with Malvertising
Sep 04, 2023 Malvertising / Social Media
Malicious actors associated with the Vietnamese cybercrime ecosystem are leveraging advertising-as-a-vector on social media platforms such as Meta-owned Facebook to distribute malware. "Threat actors have long used fraudulent ads as a vector to target victims with scams, malvertising, and more," WithSecure researcher Mohammad Kazem Hassan Nejad  said . "And with businesses now leveraging the reach of social media for advertising, attackers have a new, highly-lucrative type of attack to add to their arsenal – hijacking business accounts." Cyber attacks targeting Meta Business and Facebook accounts have gained popularity over the past year, courtesy of activity clusters such as  Ducktail  and  NodeStealer  that are known to raid businesses and individuals operating on Facebook. Among the methods employed by cybercriminals to gain unauthorized access to user accounts, social engineering plays a significant role. Victims are approached through various platforms ranging from Facebook a
Cybersecurity Resources