fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

SEO Poisoning Pushes Malware-laced Zoom, TeamViewer, Visual Studio Installers

SEO Poisoning Pushes Malware-laced Zoom, TeamViewer, Visual Studio Installers

A new SEO poisoning campaign is underway, dropping the Batloader and Atera Agent malware onto the systems of targeted professionals searching for productivity tool downloads, such as Zoom, TeamViewer, and Visual Studio.

These campaigns rely on the compromise of legitimate websites to plant malicious files or URLs that redirect users to sites that host malware disguised as popular apps.

Upon downloading and executing the software installers, the victims unknowingly infect themselves with malware and remote access software.

Poisoning search results

As part of this campaign, the threat actors perform search engine optimization (SEO) techniques to legitimate compromised sites into search results for popular applications.

The targeted keywords are for popular applications like Zoom, Microsoft Visual Studio 2015, TeamViewer, and others.

Also Read: Unsolicited Electronic Messages Act Means for Businesses

Malicious search engine result promoting Visual Studio download
Malicious search engine result promoting Visual Studio download
Source: Mandiant

When a user clicks on the search engine link, they will be brought to the compromised site that includes a Traffic Direction System (TDS).  Traffic Direction Systems are scripts that check for various attributes of a visitor and use that information to decide whether they should be shown the legitimate webpage or be redirected to another malicious site under the attacker’s control.

In similar campaigns in the past, the TDS would only redirect visitors if they came from a search engine result. Otherwise, the TDS would show the visitor the normal and legitimate blog post.

This technique helps prevent analysis by security researchers as it would only show the malicious behavior to those who arrived from a search engine.

If a visitor is redirected, the malicious site will show them a fake forum discussion where a user asks how to get a particular app, and another phony user provides a download link, as shown below.

Fake forum discussion offering a download link
Fake forum discussion offering a download link
Source: Mandiant

Clicking the download link will cause the site to create a packaged malware installer using the name of the sought-after application. As the malware packages include the legitimate software, many users will not realize they have also been infected with malware.

Some of the malicious domains found by Mandiant researchers being used in this campaign are:

  • cmdadminu[.]com
  • zoomvideo-s[.]com
  • cloudfiletehnology[.]com
  • commandaadmin[.]com
  • clouds222[.]com
  • websekir[.]com
  • team-viewer[.]site
  • zoomvideo[.]site
  • sweepcakesoffers[.]com
  • pornofilmspremium[.]com
  • kdsjdsadas[.]online
  • bartmaaz[.]com
  • firsone1[.]online

Dropping a malware cocktail

When the downloaded program is executed, it will perform two different infection chains that drop malware payloads on the device.

The first infection chain starts with installing the fake software bundled with the BATLOADER malware, fetching and executing more payloads like Ursnif and Atera Agent.

Also Read: Document Shredding Services for Commercial Document Destruction

The second infection chain drops ATERA Agent directly, bypassing the malware loading stages. Atera is a legitimate remote management solution that is being abused for lateral movement and deeper infiltration.

Diagram showcasing the two attack chains
Diagram showcasing the two attack chains
Source: Mandiant

In the first infection chain, the actors use MSHTA to execute a legitimate Windows DLL (AppResolver) laced with a malicious VBScript to change Microsoft Defender settings and add specific exclusions.

VBScript disabling Defender features
Disabling Microsoft Defender features
Source: Mandiant

Interestingly, the PE Authenticode signature in the Windows file remains valid even though the actors have added their malicious code to it, which is a problem that Microsoft attempted to address with the CVE-2020-1599 fix.

Mandiant’s report describes the bypassing technique as follows:

We observed arbitrary script data was appended to the signature section beyond the end of the ASN.1 of a legitimately signed Windows PE file. The resultant polyglot file maintains a valid signature as long as the file has a file extension other than ‘.hta’. This polyglot file will successfully execute the script contents if it is executed with Mshta.exe, as Mshta.exe will skip the PE’s bytes, locate the script at the end, and execute it.

Link to Conti gang?

Mandiant’s analysts underline that some of the techniques seen in this campaign match the content of the Conti playbooks that a disgruntled affiliate leaked last August.

While the campaign could be replicated by unrelated actors, loading the VBScript from a signed Windows file indicates a skillful operator.

Deploying ransomware payloads through Atera Agent would be fairly simple, while the targeting scope defined by the SEO lures is company-focused.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us