Researchers have warned of a new cyber scam campaign using fake Windows updates to trick victims into downloading and running the Aurora infostelaer on their devices.
Experts at Malwarebytes recently spotted a malicious advertising campaign leveraging pop-under ads to deliver a malware loader.
Pop-under ads are a type of ad that loads under the browser, and is only visible once the user closes, or moves the browser out of sight. These ads, served mostly on adult content websites with high traffic numbers, are displayed in full-screen, and tell the user that they need to update their device. More than a dozen domains were used in this campaign, it was said.
Turkish victims
Those that fall for the trick would download a file called ChromeUpdate.exe which, in reality, is a malware loader called “Invalid Printer”. The researchers are saying that Invalid Printer is a so-called “fully undetectable” (FUD) malware loader, used exclusively by this particular, yet unnamed, threat actor. Once Invalid Printer makes it to the target endpoint, it will first check the graphic card to see if it’s installed on a virtual machine, or in a sandbox. If it determines that the device is a legitimate target, it will unpack and launch a copy of the Aurora infostealer.
Aurora is a piece of malware with “extensive capabilities” and low antivirus detection, its creators claim. In reality, it took antivirus programs a few weeks to start flagging Aurora installs as malicious, Malwarebytes said. Written in Golang, Aurora is on sale on dark web forums for more than a year now. In this particular campaign, some 600 devices were compromised, the researchers believe.
According to Jérôme Segura, director of threat intelligence at Malwarebytes, most victims are Turkish, as every time a new sample gets submitted to Virus Total, it comes from a Turkish user.
"In many instances, the file name looked like it had come fresh from the compiler (i.e. build1_enc_s.exe)," the researcher concluded.
- These are the best firewalls around
Via: BleepingComputer