Its hex representation is %D0%A1hr%D0%BEm%D0%B5U%D1%80d%D0%B0t%D0%B5.exe as can be seen in the image below:įigure 3: Hex encoding and Cyrillic alphabet While the file name appears as ChromeUpdate.exe, it uses the Cyrillic alphabet such that certain characters look similar but are different on disk. This becomes more obvious when downloading the update file named ChromeUpdate.exe.įigure 2: The 'Chrome update' downloaded from the web browser Fully Undetectable (FUD) malware When that happens, they just want to install whatever needs to be installed and get on with their day.Ī threat actor is buying popunder ads targeting adult traffic and tricking victims with what appears to a system security update.įigure 1: A fake system update hijacks the screenĪs convincing as it looks, what you see above is actually a browser window that is rendered in full screen. Windows users are quite familiar with system updates, often interrupting hours of work or popping up in the middle of an intense game. In this blog post, we detail our findings and how this campaign is connected to other attacks.
We wrote a tool to 'patch' this loader and identified its actual payload as Aurora stealer. The fake security update is using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. The scheme is very well designed as it relies on the web browser to display a full screen animation that very much resembles what you'd expect from Microsoft. Because browsers are more secure today than they were 5 or 10 years ago, the attacks that we are seeing all involve some form of social engineering.Ī threat actor is using malicious ads to redirect users to what looks like a Windows security update. Malvertising seems to be enjoying a renaissance as of late, whether it is from ads on search engine results pages or via popular websites.
0 kommentar(er)
