For the past few years, hackers have increasingly targeted customers and businesses with tainted software boosted via ads. The recipe is simple – cyber-criminal groups set up fake websites for high-interest software and promote them on top of the results page through advertisements.

It takes just one search and one click for a user to fall victim to the trick. Testament to that is the series of attacks against prominent crypto-currency figures earlier in 2023 as well as a recent spate of incidents Bitdefender investigated in the second part of the year.

This report is based on an investigation into threat actors’ use of a malicious ISO archive to offer business users more than they bargained for. Besides the software it advertised, the malicious ISO file contained a ZIP archive holding a Python executable and its dependencies. One DLL loaded by the python.exe process was set to execute malicious code in the form of a Meterpreter stager, giving the attackers access to the victim’s computer.

Starting with that subset of indicators, Bitdefender researchers were able to identify more artifacts related to the same campaign that seems to have started at least as far back as May 2023. The malicious ISO archives were distributed using malicious ads that impersonated download pages for applications such as AnyDesk, WinSCP, Cisco AnyConnect, Slack, TreeSize and potentially more.
The same campaign seems to have caught the attention of multiple security researchers, and we would like to join their efforts by sharing our own findings.

This malvertising campaign leads to the propagation of the infection after initial exposure. For as long as they dwell in the victim’s network, the attackers’ primary goal is to obtain credentials, set up persistence on important systems and exfiltrate data, with extortion as the end goal. We also noticed attempts to deploy BlackCat ransomware.

Findings at a glance:

  • A threat actor with previous roots in cybercrime has shifted its initial access techniques to search engine advertisements to hijack searches for business applications such as AnyDesk, WinSCP, Cisco AnyConnect, Slack, TreeSize and potentially more;
  • Our research shows that the actor(s) has successfully used this type of attack since late May 2023.
  • Based on our threat insights, attackers seem to exclusively focus on North America. Until now, we have identified six target
    organizations in the US and one in Canada.

Indicators of Compromise

An up-to-date, complete list of indicators of compromise is available to  Bitdefender Advanced Threat Intelligence users. Currently known indicators of compromise can be found in the whitepaper below.

Download the research paper

___

If this information is helpful to you read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query. 

Content curated by the team of COMPUTER 2000 on the basis of news in reputable media and marketing materials provided by our partners, companies, and other vendors.

 

 

 

Follow us to learn more

CONTACT US

Let’s walk through the journey of digital transformation together.

By clicking on the SEND button you agree to the processing of personal data. In accordance with our Privacy Policy

1 + 15 =