Threat actors continue to exploit malvertising and brand spoofing to deploy infostealers and propagate crypto fraud

screenshots of MSI After burner platform

Background

Last month we blogged about malvertisement activity involving Russian banking trojans, originating from malicious Google ads.

Attack vectors included search phrases and fake advertisments targeting remote desktop apps and online meeting platforms.

A couple of days after releasing our research the FBI issued a PSA, warning users about brand impersonation activity that uses popular search engines as a tool to distribute malware.

Since then, we’ve been on the lookout for similar activity targeting the type of brands targeted in the initial campaign. We’ve uncovered new attack vectors featuring other spoofing activities not limited to the original campaign.

AnyDesk spoofing

One of the brands targeted in the initial campaign was AnyDesk – the remote desktop platform.

With the help of scanned data from Silent Push’s enrichment query, we’ve kept an eye on the AnyDesk attack vector, among other remote desktop tools.

Throughout our collaboration with MalwareBytes whilst investigating DDOS-Guard, we uncovered a host of phishing domains impersonating AnyDesk software on the same IP infrastructure that hosted multiple spoofing pages targeting MSI After Burner, Trading View, Team Viewer, open source software such as OBS Studio and infostealers including Vidar and Aurora.

Through a combination of enriched data monitoring and granular research into DDOS-Guard’s infrastructure, we’ve kept track of similar infostealer-based threat activity, which has stuck around for the last two months.

In many cases, malware is being hosted on legitimate services such as Dropbox and Discord – domains hosted on 45.15.156[.]55 feature download links to an archive file hosted on Discord.

Domains hosted on 45.15.156[.]55
Malicious infrastructure on msalterberners[.]com
Code behind MSI Afterburner download activity

New attacks vectors

At the time of publication, both Dropbox and Discord have taken down multiple links involved in the campaign, but we are still seeing evidence of numerous new domains that are dropping similar infostealers.

Threat actors seem to be using DDOS-Guard’s services to propagate malicious activity.

We discovered multiple domains hosted on one of its IPs – 186.2.171[.]7 – targeting open-source software platforms such as Blender 3D, Digital Audio Editor Audacity, the Brave browser and the image editor GIMP, among others.

Even the spoofing domains that do not feature open source platforms – such as numerous typosquatted domains targeting the Steam community marketplace CS.Money – host malicious content similar to the spoofed open-source domains.

Preview of IPs hosted on DDOS-Guard infrastructure
Blender spoofing domain, with active download link
GIMP spoofing domain with active download link
A typosquat of the CS.Money domain, appearing to host a fake Audacity variant

Infostealers and crypto wallets

In all these cases, download links prompt an install of a version of the Vidar infostealer, which in turn attempts to connect to a Telegram account (t[.]me/jetbim) and a Steam profile steamcommunity[.]com/profiles/76561199471266194

VT page for the infostealer

The malware is equipped with evasion capabilities, as well as resulting in a timeout in most open-source sandboxes: 

“C:\Windows\System32\cmd.exe” /c timeout /t 6 & del /f /q “C:\Users\Admin\AppData\Local\Temp\blender-3.4.1-windows-x64.exe” & exit

The infostealer attempts to access a crypto wallet as it tries to read files and directories:

C:\Users\Admin\AppData\Roaming\Electrum\wallets\

C:\Users\Admin\AppData\Roaming\Electrum-LTC\wallets\

C:\Users\Admin\AppData\Local\Coinomi\Coinomi\wallets\

Similar infostealers have been involved in spoofing brand domains redirected from Google ads. We anticipate that these brands will soon be targeted with SEO-poisoned malvertisements.

Cybersecurity-focused social media accounts have recently posted about the open-source Brave browser (one of the brands spoofed on this IP), redirected from Google Ads, which connect with the same Telegram and Steam community account highlighted above, hinting that the campaigns could be linked to the same group of threat actors.

Sekoia researcher tweet about a malicious Brave redirect from Google ads

Old campaigns still active with new IoC’s

As global attention turns towards active campaigns, threat actors are showing signs of resilience by moving on to new IoCs and previously unaffected infrastructure.

Banking trojans distributed through fake AnyDesk ads were one of the first malvertisment attack vectors we observed, and new spoofed AnyDesk domains are still being created – wvww.anydeskcom[.]top, featuring the IcedID banking trojan, is only 24 hours old at the time of writing, but the domain is already being distributed through Google ads.

The anydaske[.]website is visible from a Google ad, but the redirect points to a new domain in an attempt to keep one step ahead of researchers and security teams, by creating new IoCs that don’t appear in most global feeds.

Clicking on ‘Download Now’ injects the malicious archive file, containing the IcedID banking trojan.

The domain is hosted on 46.173.218[.]229, which proves the infrastructure consists of domains and brands that were involved in the previous malware distribution campaigns, such as Microsoft Teams, the IRS and Adobe.

Silent Push Query for IP 46.173.218[.]229
VT page for the archive with new IcedID Banking Trojan

Through enriched scanning, we have identified pages being spoofed in numerous different languages, indicating typosquatted domains across multiple distinct global regions.

Portuguese language spoofing site

MetaMask browser extension scam

Malware delivery is not the only attack vector utilised by threat actors looking to abuse search engine platforms with SEO poisoning.

During our Google Ads research, we uncovered a campaign targeting users of the Synapse Bridge Protocol – a popular platform that allows for the transfer of crypto assets between blockchains.

The legitimate Synapse domain asks users to manually connect their crypto wallet of choice to facilitate a secure transaction.

The phishing domain, however, attempts to connect directly with a MetaMask wallet, providing that the MetaMask browser extension is already installed.

Alternatively, the malicious domain asks users to install the extension, if it’s not already enabled in their browser. As the user has been redirected from a legitimate search engine, there is a high chance that many would fall victim to it without manually verifying the correct domain name.

Legitimate Synapse Protocol domain
Phishing domain spoofing Synapse, redirected from Google Ads

Most domains involved with this scam aren’t flagged on VirusTotal:

Conclusion

SEO poisoning and malvertising are not new techniques, but a recent surge in activity indicates there may be a lot more to come, with numerous new and well-established brands targeted across multiple global regions, languages and applications.

Government authorities such as the FBI have begun to sound the alarm about the rise in cases. Still, the sophistication of the threat actors’ approach and their willingness to switch to new infrastructure means that the number of people affected will inevitably rise.

It’s vitally important for security teams to protect consumers and supply chain operations by deploying proactive modes of defense, including keeping a lookout for any new campaigns utilizing SEO poisoning that are targeting their own or their customers’ infrastructure.

We’ve created a bespoke feed for our paid subscribers to keep one step ahead of threat activity. Our ‘Malvertising Domains’ feed is updated regularly with new IoCs – including suspect domains and IP infrastructure – and we’ll continue to monitor the situation using enriched data from our daily IPv4 scans, featuring billions of nodes across the globe.

Follow us on LinkedIn and Twitter for weekly threat intelligence updates and research.