Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

More fake Windows updates are spreading malware, so watch what you download

Magnifying glass enlarging the word 'malware' in computer machine code

Researchers have warned of a new cyber scam campaign using fake Windows updates to trick victims into downloading and running the Aurora infostelaer on their devices.

Experts at Malwarebytes recently spotted a malicious advertising campaign leveraging pop-under ads to deliver a malware loader.

Pop-under ads are a type of ad that loads under the browser, and is only visible once the user closes, or moves the browser out of sight. These ads, served mostly on adult content websites with high traffic numbers, are displayed in full-screen, and tell the user that they need to update their device. More than a dozen domains were used in this campaign, it was said.

Turkish victims

Those that fall for the trick would download a file called ChromeUpdate.exe which, in reality, is a malware loader called “Invalid Printer”. The researchers are saying that Invalid Printer is a so-called “fully undetectable” (FUD) malware loader, used exclusively by this particular, yet unnamed, threat actor. Once Invalid Printer makes it to the target endpoint, it will first check the graphic card to see if it’s installed on a virtual machine, or in a sandbox. If it determines that the device is a legitimate target, it will unpack and launch a copy of the Aurora infostealer. 

Aurora is a piece of malware with “extensive capabilities” and low antivirus detection, its creators claim. In reality, it took antivirus programs a few weeks to start flagging Aurora installs as malicious, Malwarebytes said. Written in Golang, Aurora is on sale on dark web forums for more than a year now. In this particular campaign, some 600 devices were compromised, the researchers believe. 

According to Jérôme Segura, director of threat intelligence at Malwarebytes, most victims are Turkish, as every time a new sample gets submitted to Virus Total, it comes from a Turkish user. 

"In many instances, the file name looked like it had come fresh from the compiler (i.e. build1_enc_s.exe)," the researcher concluded.

Via: BleepingComputer

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.