Slash Boxes

SoylentNews is people

posted by Fnord666 on Thursday October 03 2019, @01:16PM   Printer-friendly
from the hate-to-see-it dept.

Arthur T Knackerbracket has found the following story:

Attackers are utilizing hacked web sites that promote fake browser updates to infect targets with banking trojans. In some cases, post exploitation toolkits are later executed to encrypt the compromised network with ransomware.

Between May and September 2019, FireEye has conducted multiple incident response cases where enterprise customers were infected with malware through fake browser updates.

Hacked sites would display these "fakeupdates" through JavaScript alerts that state the user is using an old version of a web browser and that they should download an offered "update" to keep the browser running "smoothly and securely".

When the update button is clicked, the site will download either an HTML application (HTA), JavaScript, or Zip archives with JavaScript files.

When the downloaded file is executed, a malicious script would be launched that gathers information about the computer and sends it back to the attacker's command and control server.

The server would then respond with an another script that would be executed on the victim's machine to download and install malware. The researchers at FireEye state that they observed malware such as Dridex, NetSupport Manager, AZORult, or Chthonic being installed on the victim's machines.

"The backdoor and banking-trojan payloads described above have been identified as Dridex, NetSupport Manager RAT, AZOrult, and Chthonic malware. The strategy behind the selective payload delivery is unclear; however, the most prevalent malware delivered during this phase of the infection chain were variants of the Dridex backdoor."

In addition to the information being stolen by banking Trojans, the script would also use the freeware Nircmd.exe tool to generate two screenshots of the current desktop, which are then also uploaded to the C2.

Similar to how Ryuk utilizes Trickbot, FireEye observed that Dridex would be used to install the BitPaymer or DoppelPaymer ransomware on a victim's network.

[...] Both BitPaymer and DoppelPayment are well know for requesting huge ransomware when they are able to compromise many computers on a network. For example, there are known cases where DoppelPaymer has demanded ransom ranging from $80K USD to over $2 million.

This would allow them to potentially generate huge ransoms from a compromised network that has already been squeezed dry of data to harvest.

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Interesting) by Anonymous Coward on Thursday October 03 2019, @04:11PM (1 child)

    by Anonymous Coward on Thursday October 03 2019, @04:11PM (#902334)

    I first saw one of these quite a few weeks ago, maybe a couple months. Looks like someone is capitalizing well on the "Yeah, we don't support that browser..." movement.

    Starting Score:    0  points
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  

    Total Score:   1  
  • (Score: 4, Insightful) by Anonymous Coward on Thursday October 03 2019, @10:51PM

    by Anonymous Coward on Thursday October 03 2019, @10:51PM (#902459)

    This is one reason UIs are considered worse than before. Initially, software would notify you of something in a manner which embedded components couldn't duplicate. Nowadays, there's no way to tell the difference between a browser generated notification and a webpage notification. Hell, even program settings are displayed as a webpage which makes it trivial for malware to duplicate the exact same screens and mess with you.

    I would like to give a big fuck you to the google developers who on their own decided to start pushing the "Use this better piece of software or else bad things will happen to you" banners you now see everywhere. Once that google team started doing it, everyone copied them thinking it was now an okay thing to do. It wasn't and still isn't.