malvertising | Breaking Cybersecurity News | The Hacker News

The popularity of Brazil's  PIX  instant payment system has made it a  lucrative target for threat actors  looking to generate illicit profits using a new malware called GoPIX . Kaspersky, which has been tracking the active campaign since December 2022, said the attacks are pulled off  using malicious ads  that are served when potential victims search for "WhatsApp web" on search engines. "The cybercriminals employ malvertising: their links are placed in the ad section of the search results, so the user sees them first," the Russian cybersecurity vendor  said . "If they click such a link, a redirection follows, with the user ending up on the malware landing page." As other malvertising campaigns observed recently, users who click on the ad will be redirected via a cloaking service that is meant to filter sandboxes, bots, and others not deemed to be genuine victims. This is accomplished by using a legitimate fraud prevention solution known as  IPQu

Details have emerged about a malvertising campaign that leverages Google Ads to direct users searching for popular software to fictitious landing pages and distribute next-stage payloads. Malwarebytes, which discovered the activity,  said  it's "unique in its way to fingerprint users and distribute time sensitive payloads." The attack singles out users searching for Notepad++ and PDF converters to serve bogus ads on the Google search results page that, when clicked, filters out bots and other unintended IP addresses by showing a decoy site. Should the visitor be deemed of interest to the threat actor, the victim is redirected to a replica website advertising the software, while silently fingerprinting the system to determine if the request is originating from a virtual machine. Users who fail the check are taken to the legitimate Notepad++ website, while a potential target is assigned a unique ID for "tracking purposes but also to make each download unique and t

In today's digital world, where connectivity is rules all, endpoints serve as the gateway to a business's digital kingdom. And because of this, endpoints are one of hackers' favorite targets.  According to the IDC,  70% of successful breaches start at the endpoint . Unprotected endpoints provide vulnerable entry points to launch devastating cyberattacks. With IT teams needing to protect more endpoints—and more kinds of endpoints—than ever before, that perimeter has become more challenging to defend. You need to improve your endpoint security, but where do you start? That's where this guide comes in.  We've curated the top 10 must-know endpoint security tips that every IT and security professional should have in their arsenal. From identifying entry points to implementing EDR solutions, we'll dive into the insights you need to defend your endpoints with confidence.  1. Know Thy Endpoints: Identifying and Understanding Your Entry Points Understanding your network's

Malicious ads served inside Microsoft Bing's artificial intelligence (AI) chatbot are being used to distribute malware when searching for popular tools. The findings come from Malwarebytes, which revealed that unsuspecting users can be tricked into visiting booby-trapped sites and installing malware directly from Bing Chat conversations. Introduced by Microsoft in February 2023, Bing Chat is an  interactive search experience  that's powered by OpenAI's large language model called  GPT-4 . A month later, the tech giant  began   exploring  placing ads in the conversations. But the move has also opened the doors for threat actors who resort to malvertising tactics and propagate malware. "Ads can be inserted into a Bing Chat conversation in various ways," Jérôme Segura, director of threat intelligence at Malwarebytes,  said . "One of those is when a user hovers over a link and an ad is displayed first before the organic result." In an example highligh

A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called  Atomic Stealer  (or AMOS), indicating that it's being actively maintained by its author. An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer  first came  to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering features were detected in the wild, targeting gamers and cryptocurrency users. Malvertising via Google Ads has been observed as the primary distribution vector in which users searching for popular software, legitimate or cracked, on search engines are shown bogus ads that direct to websites hosting rogue installers. The latest campaign involves the use of a fraudulent website for TradingView, prominently featuring three buttons to download the software for Windows, macOS, and Linux operating systems. "Both the Windows and Linux buttons point to an MSIX installer hosted on Discord that drops

Malicious actors associated with the Vietnamese cybercrime ecosystem are leveraging advertising-as-a-vector on social media platforms such as Meta-owned Facebook to distribute malware. "Threat actors have long used fraudulent ads as a vector to target victims with scams, malvertising, and more," WithSecure researcher Mohammad Kazem Hassan Nejad  said . "And with businesses now leveraging the reach of social media for advertising, attackers have a new, highly-lucrative type of attack to add to their arsenal – hijacking business accounts." Cyber attacks targeting Meta Business and Facebook accounts have gained popularity over the past year, courtesy of activity clusters such as  Ducktail  and  NodeStealer  that are known to raid businesses and individuals operating on Facebook. Among the methods employed by cybercriminals to gain unauthorized access to user accounts, social engineering plays a significant role. Victims are approached through various platforms ranging from Facebook a

Cybersecurity researchers have detailed an updated version of an advanced fingerprinting and redirection toolkit called  WoofLocker  that's engineered to conduct tech support scams. The sophisticated traffic redirection scheme was  first documented  by Malwarebytes in January 2020, leveraging JavaScript embedded in compromised websites to perform anti-bot and web traffic filtering checks to serve next-stage JavaScript that redirects users to a browser locker (aka browlock). This redirection mechanism, in turn, makes use of steganographic tricks to conceal the JavaScript code within a PNG image that's served only when the validation phase is successful. Should a user be detected as a bot or not interesting traffic, a decoy PNG file without the malicious code is delivered. WoofLocker is also known as 404Browlock due to the fact that visiting the browlock URL directly without the appropriate redirection or one-time session token results in a 404 error page. The cybersecurity

A new malvertising campaign has been observed leveraging ads on Google Search and Bing to target users seeking IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP, and trick them into downloading trojanized installers with an aim to breach enterprise networks and likely carry out future ransomware attacks. Dubbed  Nitrogen , the "opportunistic" activity is designed to deploy second-stage attack tools such as Cobalt Strike, Sophos  said  in a Wednesday analysis. Nitrogen was  first documented  by eSentire in June 2023, detailing an infection chain that redirects users to compromised WordPress sites hosting malicious ISO image files that ultimately culminate in the delivery of Python scripts and Cobalt Strike Beacons onto the targeted system. Then earlier this month, Trend Micro  uncovered  a similar attack sequence in which a fraudulent WinSCP application functioned as a stepping stone for a BlackCat ransomware attack. "Throughout the infection chain, the threat

Threat actors associated with the  BlackCat ransomware  have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application. "Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations," Trend Micro researchers  said  in an analysis published last week. "In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer." Malvertising   refers  to the use of  SEO poisoning techniques  to spread malware via online advertising. It typically involves hijacking a chosen set of keywords (e.g., "WinSCP Download") to display bogus ads on Bing and Google search results pages with the goal of redirecting unsuspecting users to sketchy pages. The idea is to trick users searching for applications like WinSCP into downloading malware, in this instance, a backdoor that contains a  Cobal

Thousands of adware apps for Android have been found to masquerade as cracks or modded versions of popular applications to serve unwanted ads to users as part of a campaign ongoing since October 2022. "The campaign is designed to aggressively push adware to Android devices with the purpose to drive revenue," Bitdefender said in a technical report shared with The Hacker News. "However, the threat actors involved can easily switch tactics to redirect users to other types of malware such as banking Trojans to steal credentials and financial information or ransomware." The Romanian cybersecurity company said it has discovered 60,000 unique apps carrying the adware, with a majority of the detections located in the U.S., South Korea, Brazil, Germany, the U.K., France, Kazakhstan, Romania, and Italy. It's worth pointing out that none of the apps are distributed through the official Google Play Store. Instead, users searching for apps like Netflix, PDF viewers, se

In yet another instance of how threat actors are abusing Google Ads to serve malware, a threat actor has been observed leveraging the technique to deliver a new Windows-based financial trojan and information stealer called LOBSHOT . "LOBSHOT continues to collect victims while staying under the radar," Elastic Security Labs researcher Daniel Stepanic said in an analysis published last week. "One of LOBSHOT's core capabilities is around its hVNC (Hidden Virtual Network Computing) component. These kinds of modules allow for direct and unobserved access to the machine." The American-Dutch company attributed the malware strain to a threat actor known as  TA505  based on infrastructure historically connected to the group. TA505 is a financially motivated e-crime syndicate that overlaps with  activity clusters  tracked under the names Evil Corp, FIN11, and Indrik Spider. The latest development is significant because it's a sign that TA505, which is associate

A piece of new information-stealing malware called  OpcJacker  has been spotted in the wild since the second half of 2022 as part of a malvertising campaign. "OpcJacker's main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes," Trend Micro researchers Jaromir Horejsi and Joseph C. Chen  said . The initial vector of the campaign involves a network of fake websites advertising seemingly innocuous software and cryptocurrency-related applications. The February 2023 campaign specifically singled out users in Iran under the pretext of offering a VPN service. The installer files act as a conduit to deploy OpcJacker, which is also capable of delivering next-stage payloads such as  NetSupport RAT  and a hidden virtual network computing ( hVNC ) variant for remote access. OpcJacker is concealed using a  crypter  known as Babadeda an

An ongoing malvertising campaign is being used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel  said  in a technical write-up. The shift to Google malvertising is the latest example of how crimeware actors are  devising alternate delivery routes  to distribute malware ever since Microsoft announced plans to block the execution of macros in Office by default from files downloaded from the internet. Malvertising entails placing rogue search engine advertisements in hopes of tricking users searching for popular software like Blender into downloading the trojanized software. The MalVirt loaders, which are implemented in .NET, use the legitimate  KoiVM  virtualizing protector for .NET applicati

Researchers have shut down an "expansive" ad fraud scheme that spoofed more than 1,700 applications from 120 publishers and impacted roughly 11 million devices.  "VASTFLUX was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views," fraud prevention firm HUMAN  said . The operation gets its name from the use of a DNS evasion technique called  Fast Flux  and  VAST , a Digital Video Ad Serving Template that's employed to serve ads to video players. The sophisticated operation particularly exploited the restricted in-app environments that run ads on iOS to place bids for displaying ad banners. Should the auction be won, the hijacked ad slot is leveraged to inject rogue JavaScript that establishes contact with a remote server to retrieve the list of apps to be targeted. This includes the  bundle IDs  that belong to leg

Users searching for popular software are being targeted by a new malvertising campaign that abuses Google Ads to serve trojanized variants that deploy malware, such as Raccoon Stealer and Vidar. The activity makes use of seemingly credible websites with typosquatted domain names that are surfaced on top of Google search results in the form of malicious ads by hijacking searches for specific keywords. The ultimate objective of such attacks is to  trick   unsuspecting   users  into downloading malevolent programs or potentially unwanted applications. In one campaign disclosed by Guardio Labs, threat actors have been observed creating a network of benign sites that are promoted on the search engine, which when clicked, redirect the visitors to a phishing page containing a trojanized ZIP archive hosted on Dropbox or OneDrive. "The moment those 'disguised' sites are being visited by targeted visitors (those who actually click on the promoted search result) the server imme

A series of malicious campaigns have been leveraging fake installers of popular apps and games such as Viber, WeChat, NoxPlayer, and Battlefield as a lure to trick users into downloading a new backdoor and an undocumented malicious Google Chrome extension with the goal of stealing credentials and data stored in the compromised systems as well as maintaining persistent remote access. Cisco Talos attributed the malware payloads to an unknown actor that goes by the alias " magnat ," noting that "these two families have been subject to constant development and improvement by their authors." The attacks are believed to have commenced in late 2018, with intermittent activity observed towards the end of 2019 and through early 2020, followed by fresh spikes since April 2021, while mainly singling out users in Canada, followed by the U.S., Australia, Italy, Spain, and Norway. A noteworthy aspect of the intrusions is the use of malvertising as a means to strike individua