Recently, Elastic Software researchers discovered a newly created backdoor and credential-stealer that poses as legitimate software download as part of an elaborate campaign to lure corporate workers. The threat group TA505, known for spreading Clop ransomware, appears to be behind the malware, dubbed LOBSHOT, which appears financially motivated. It steals banking, cryptocurrency, and other valuable data and credentials. It is propagated through malicious Google Ads for remote-workforce applications such as AnyDesk.
The fake download site executes DLL from the download-cdn[.]com domain that is historically associated with TA505. Based on this, the researchers assessed that LOBSHOT is most likely a new malware capability used by the group. The researchers have seen new LOBSHOT samples each week related to this family, indicating that it will be around for some time.
Potential victims are exposed to the malware by clicking on Google Ads that purport to be for legitimate workforce software, such as AnyDesk. The LOBSHOT infection chain commences when someone performs an internet search for the desired legitimate software, which then comes up as a promoted Google ad. The landing pages seemed very convincing, with similar branding as the legitimate software and included Download Now buttons that pointed to an MSI installer. This MSI installer, once downloaded, executes on the user’s computer and establishes communication with the attacker-owned command-and-control server.
LOBSHOT‘s core capability revolves around its Hidden Virtual Network Computing (hVNC) component, allowing direct and unobserved access to the machine. Attackers use hVNC to evade detection, and it continues to be successful in bypassing fraud-detection systems. In addition, just like most malware being used currently, LOBSHOT employs dynamic import resolution to evade security products and slow down the rapid identification of its capabilities.
Elastic Software researchers provide prevention tactics used to avoid compromise by malware such as LOBSHOT. They have included directions to create EQL queries to hunt for similar suspicious behaviors related to the grandparent, parent, and child relationships that the researchers observed LOBSHOT executing.
In conclusion, LOBSHOT is another example of the alarming trend of adversaries’ persistence in abusing and increasing their reach through malvertising such as Google Ads by impersonating legitimate software. These types of malware may seem insignificant and have limited reach, but they end up packing a big punch through fully interactive remote control capabilities to help threat actors gain access to corporate networks and engage in other malicious activity. It is essential to educate employees regarding the precautions they should take when clicking on Google Ads or downloading any software from unfamiliar sites. Furthermore, companies should strengthen their security and resilience to prevent any potential breach by frequently upgrading their endpoint security measures.
<< photo by Pixabay >>
You might want to read !
- “Royal Ransomware Now a Cross-Platform Threat: Targets Linux and VMware ESXi”
- “White House Unveils New AI Initiatives: DEF CON Event to Vet AI Software”
- “Ransomware Hackers Target Corporations: Inside the Dragos Employee Data Breach”
- “North Korean Hackers Circumvent Macro-Blocking Using LNK Tactic”
- “Google Takes Strides Towards Safer Android Devices with Latest API Enhancements”
- Coalfire Compliance Report: Navigating the Future of Regulatory Compliance
- Google’s New Cybersecurity Career Certificate Program: Bridging the Skills Gap
