Fake Windows News Portal Used in New Malvertising Campaign to Spread Malicious Installers

    A Cunning Strategy with Popular Software

    Researchers have discovered a new malvertising campaign. This campaign cleverly uses fake sites, pretending to be legitimate Windows news portals, to distribute a malicious installer for the well-known system profiling tool CPU-Z. This incident forms part of a larger strategy targeting utilities like Notepad++, Citrix, and VNC Viewer. The campaign uses distinct domain names and cloaking templates to dodge detection, says Jérôme Segura from Malwarebytes.

    Deception Tactics: Replica Sites and Cloaking

    This new tactic takes a different turn, unlike typical malvertising campaigns that set up replica sites for popular software. The website imitates WindowsReport[.]com. The aim is to deceive users who search for CPU-Z on search engines like Google. They encounter malicious ads that redirect them to the fake portal (workspace-app[.]online). Meanwhile, the campaign serves harmless blogs with different articles to users not targeted by the scheme, a technique known as cloaking.

    The Malicious Installer and Its Components

    The rogue website hosts a signed MSI installer. It contains a dangerous PowerShell script and FakeBat (aka EugenLoader) loader. This loader is a gateway to installing RedLine Stealer on the victim’s device. Segura suggests that choosing a decoy site resembling Windows Report might be strategic. Often, users download software utilities from such portals instead of their official web pages.

    Previous Instances and Emerging Techniques

    This isn’t the first instance where deceptive Google Ads for well-known software have served as a conduit for malware. Just last week, cybersecurity firm eSentire revealed an updated Nitrogen campaign. This campaign led to a BlackCat ransomware attack. Two other Canadian firms’ campaigns indicate that cybercriminals use the drive-by download method. This method lures users to dubious websites, spreading malware like NetWire RAT, DarkGate, and DanaBot.

    The Evolving Threat Landscape

    Threat actors are increasingly relying on adversary-in-the-middle (AiTM) phishing kits. Examples include NakedPages, Strox, and DadSec. These kits help bypass multi-factor authentication and hijack targeted accounts. Moreover, eSentire has highlighted a new method called the Wiki-Slack attack. This user-direction attack aims to drive victims to attacker-controlled websites. It involves defacing the end of the first part of a Wikipedia article and sharing it on Slack. A Slack quirk that mishandles whitespace between paragraphs auto-generates a link in the enterprise messaging platform. This link, when clicked, directs the victim to a dangerous site. This method exploits a condition where the first word of the second Wikipedia paragraph must be a top-level domain (e.g., in, at, com, or net). To execute this attack, the threat actor must deface Wikipedia pages of interest.

    Latest articles

    Related articles