Slash Boxes

SoylentNews is people

posted by Fnord666 on Thursday October 03 2019, @01:16PM   Printer-friendly
from the hate-to-see-it dept.

Arthur T Knackerbracket has found the following story:

Attackers are utilizing hacked web sites that promote fake browser updates to infect targets with banking trojans. In some cases, post exploitation toolkits are later executed to encrypt the compromised network with ransomware.

Between May and September 2019, FireEye has conducted multiple incident response cases where enterprise customers were infected with malware through fake browser updates.

Hacked sites would display these "fakeupdates" through JavaScript alerts that state the user is using an old version of a web browser and that they should download an offered "update" to keep the browser running "smoothly and securely".

When the update button is clicked, the site will download either an HTML application (HTA), JavaScript, or Zip archives with JavaScript files.

When the downloaded file is executed, a malicious script would be launched that gathers information about the computer and sends it back to the attacker's command and control server.

The server would then respond with an another script that would be executed on the victim's machine to download and install malware. The researchers at FireEye state that they observed malware such as Dridex, NetSupport Manager, AZORult, or Chthonic being installed on the victim's machines.

"The backdoor and banking-trojan payloads described above have been identified as Dridex, NetSupport Manager RAT, AZOrult, and Chthonic malware. The strategy behind the selective payload delivery is unclear; however, the most prevalent malware delivered during this phase of the infection chain were variants of the Dridex backdoor."

In addition to the information being stolen by banking Trojans, the script would also use the freeware Nircmd.exe tool to generate two screenshots of the current desktop, which are then also uploaded to the C2.

Similar to how Ryuk utilizes Trickbot, FireEye observed that Dridex would be used to install the BitPaymer or DoppelPaymer ransomware on a victim's network.

[...] Both BitPaymer and DoppelPayment are well know for requesting huge ransomware when they are able to compromise many computers on a network. For example, there are known cases where DoppelPaymer has demanded ransom ranging from $80K USD to over $2 million.

This would allow them to potentially generate huge ransoms from a compromised network that has already been squeezed dry of data to harvest.

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by anubi on Thursday October 03 2019, @10:55PM (1 child)

    by anubi (2828) on Thursday October 03 2019, @10:55PM (#902464) Journal

    I find it easier to find another vendor than to reconfigure my system over the whim of some corporate webmaster.

    I use a lot of older, and deliberately crippled technology to hinder malware.

    Amazon works fine. So does eBay. However many corporate websites do not.

    So, while corporate sites tell me to upgrade to something their trackers want, my response to their browser upgrade demand is a query to AliExpress, Amazon, eBay, Rock Auto, or a few more I have bookmarked who do not constantly trip off my malware avoidance systems.

    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Friday October 04 2019, @04:22AM

    by Anonymous Coward on Friday October 04 2019, @04:22AM (#902546)

    For a lot of businesses, it is a one in a million chance that you clicked on their link.

    It's a shame they used it to encourage you to go somewhere else.