Background

Last month we blogged about malvertisement activity involving Russian banking trojans, originating from malicious Google ads.

Attack vectors included search phrases and fake advertisments targeting remote desktop apps and online meeting platforms.

A couple of days after releasing our research the FBI issued a PSA, warning users about brand impersonation activity that uses popular search engines as a tool to distribute malware.

Since then, we’ve been on the lookout for similar activity targeting the type of brands targeted in the initial campaign. We’ve uncovered new attack vectors featuring other spoofing activities not limited to the original campaign.

AnyDesk spoofing

One of the brands targeted in the initial campaign was AnyDesk – the remote desktop platform.

With the help of scanned data from Silent Push’s enrichment query, we’ve kept an eye on the AnyDesk attack vector, among other remote desktop tools.

Throughout our collaboration with MalwareBytes whilst investigating DDOS-Guard, we uncovered a host of phishing domains impersonating AnyDesk software on the same IP infrastructure that hosted multiple spoofing pages targeting MSI After Burner, Trading View, Team Viewer, open source software such as OBS Studio and infostealers including Vidar and Aurora.

Through a combination of enriched data monitoring and granular research into DDOS-Guard’s infrastructure, we’ve kept track of similar infostealer-based threat activity, which has stuck around for the last two months.

In many cases, malware is being hosted on legitimate services such as Dropbox and Discord – domains hosted on 45.15.156[.]55 feature download links to an archive file hosted on Discord.

New attacks vectors

At the time of publication, both Dropbox and Discord have taken down multiple links involved in the campaign, but we are still seeing evidence of numerous new domains that are dropping similar infostealers.

Threat actors seem to be using DDOS-Guard’s services to propagate malicious activity.

We discovered multiple domains hosted on one of its IPs – 186.2.171[.]7 – targeting open-source software platforms such as Blender 3D, Digital Audio Editor Audacity, the Brave browser and the image editor GIMP, among others.

Even the spoofing domains that do not feature open source platforms – such as numerous typosquatted domains targeting the Steam community marketplace CS.Money – host malicious content similar to the spoofed open-source domains.

Infostealers and crypto wallets

In all these cases, download links prompt an install of a version of the Vidar infostealer, which in turn attempts to connect to a Telegram account (t[.]me/jetbim) and a Steam profile steamcommunity[.]com/profiles/76561199471266194

The malware is equipped with evasion capabilities, as well as resulting in a timeout in most open-source sandboxes: 

“C:\Windows\System32\cmd.exe” /c timeout /t 6 & del /f /q “C:\Users\Admin\AppData\Local\Temp\blender-3.4.1-windows-x64.exe” & exit

The infostealer attempts to access a crypto wallet as it tries to read files and directories:

C:\Users\Admin\AppData\Roaming\Electrum\wallets\

C:\Users\Admin\AppData\Roaming\Electrum-LTC\wallets\

C:\Users\Admin\AppData\Local\Coinomi\Coinomi\wallets\

Similar infostealers have been involved in spoofing brand domains redirected from Google ads. We anticipate that these brands will soon be targeted with SEO-poisoned malvertisements.

Cybersecurity-focused social media accounts have recently posted about the open-source Brave browser (one of the brands spoofed on this IP), redirected from Google Ads, which connect with the same Telegram and Steam community account highlighted above, hinting that the campaigns could be linked to the same group of threat actors.

Old campaigns still active with new IoC’s

As global attention turns towards active campaigns, threat actors are showing signs of resilience by moving on to new IoCs and previously unaffected infrastructure.

Banking trojans distributed through fake AnyDesk ads were one of the first malvertisment attack vectors we observed, and new spoofed AnyDesk domains are still being created – wvww.anydeskcom[.]top, featuring the IcedID banking trojan, is only 24 hours old at the time of writing, but the domain is already being distributed through Google ads.

The anydaske[.]website is visible from a Google ad, but the redirect points to a new domain in an attempt to keep one step ahead of researchers and security teams, by creating new IoCs that don’t appear in most global feeds.

Clicking on ‘Download Now’ injects the malicious archive file, containing the IcedID banking trojan.

The domain is hosted on 46.173.218[.]229, which proves the infrastructure consists of domains and brands that were involved in the previous malware distribution campaigns, such as Microsoft Teams, the IRS and Adobe.

Through enriched scanning, we have identified pages being spoofed in numerous different languages, indicating typosquatted domains across multiple distinct global regions.

MetaMask browser extension scam

Malware delivery is not the only attack vector utilised by threat actors looking to abuse search engine platforms with SEO poisoning.

During our Google Ads research, we uncovered a campaign targeting users of the Synapse Bridge Protocol – a popular platform that allows for the transfer of crypto assets between blockchains.

The legitimate Synapse domain asks users to manually connect their crypto wallet of choice to facilitate a secure transaction.

The phishing domain, however, attempts to connect directly with a MetaMask wallet, providing that the MetaMask browser extension is already installed.

Alternatively, the malicious domain asks users to install the extension, if it’s not already enabled in their browser. As the user has been redirected from a legitimate search engine, there is a high chance that many would fall victim to it without manually verifying the correct domain name.

Most domains involved with this scam aren’t flagged on VirusTotal:

Conclusion

SEO poisoning and malvertising are not new techniques, but a recent surge in activity indicates there may be a lot more to come, with numerous new and well-established brands targeted across multiple global regions, languages and applications.

Government authorities such as the FBI have begun to sound the alarm about the rise in cases. Still, the sophistication of the threat actors’ approach and their willingness to switch to new infrastructure means that the number of people affected will inevitably rise.

It’s vitally important for security teams to protect consumers and supply chain operations by deploying proactive modes of defense, including keeping a lookout for any new campaigns utilizing SEO poisoning that are targeting their own or their customers’ infrastructure.

We’ve created a bespoke feed for our paid subscribers to keep one step ahead of threat activity. Our ‘Malvertising Domains’ feed is updated regularly with new IoCs – including suspect domains and IP infrastructure – and we’ll continue to monitor the situation using enriched data from our daily IPv4 scans, featuring billions of nodes across the globe.

Follow us on LinkedIn and Twitter for weekly threat intelligence updates and research.

Key points

• Malvertisment campaigns propagated via Google Ads
• AnyDesk remote monitoring software targeted
• Threat activity linked to Russian C2 servers
• Evidence of other malware hashes using the same methods

Background

Over the last few days, threat intelligence researchers have started to expose an SEO poisoning/malvertisment campaign, that’s attempting to propagate a well-known modular banking trojan – IcedID.

Threat actors are elevating malicious download pages to the front page of a Google search for popular applications, such as Slack and AnyDesk, by exploiting Google Ads:

Uncovered: New Anydesk/Gozi phishing campaign

Whilst creating custom threat feeds targeting middle domains found throughout the IcedID campaign, Silent Push threat analysts uncovered previously unexplored threat activity featuring a similar set of TTPs, but using the Ursnif/Gozi banking trojan – an early C2C progenitor with its roots in the Russian criminal underworld – distributed via a different group of AnyDesk phishing pages.

Google search manipulation

Performing a Google search using ‘anydesk download’ as the base parameter populates a set of results featuring a malicious Google Ad for an AnyDesk domain at the top of the list (anydesk-access[.]com), with the legitimate domain (anydesk[.]com) populated as a non-sponsored result immediately below it:

URL-based attack vectors

Previous AnyDesk malvertisment campaigns have featured legitimate URLs in the ad text. As evidenced above, this group of threat actors have managed to circumvent Google Ad safeguards and publish a malicious URL direct from the ad itself.

Clicking on the Google Ad led us to a download page for the aforementioned Gozi/Ursnif trojan executable, with the name ‘AnyDesk.exe’:

It’s interesting to note that the download link only populates via the Google Ad redirect. If the URL is accessed directly, the link doesn’t appear and the domain loads a graphically different webpage:

Undetected in VirusTotal

This browsing anomaly is likely the reason why, when submitted to VirusTotal, the URL is passed off as legitimate by 91 security vendors:

Traffic analysis

A traffic trace using Fiddler shows a malicious domain redirect after the Google Ad populates an iframe from golunki[.]com:

Further investigation reveals another domain loading fake AnyDesk images, where users are led through several 302 redirects to a malicious file download at 4zuki[.]com:

1. golunki[.]com redirects to tradeview[.]moves

2. tradeview[.]moves triggers a script that redirects to a download link, after populating the main site with fake content:

3. The final download destination – 4zuki[.]com/download/AnyDesk.exe

Executable behaviour

Once downloaded, the trojan (f04469b9a67701e9da38b1d86a10546e) attempts to communicate with four C2 servers featuring Russian TLDs:

• reggy505[.]ru
• iujdhsndjfks[.]ru032p
• gameindikdowd[.]ru
• jhgfdlkjhaoiu[.]su

The executable also attempts a code injection attack that causes disruption by interacting with various Windows processes.

The software scans for the installation path of Microsoft Outlook:

“C:\Windows\System32\mshta.exe”

“about:hta:application<script>Xu0e=’wscript.shell’;resizeTo(0,2);eval(new ActiveXObject(Xu0e).regread(‘HKCU\\Software\AppDataLow\Software\Microsoft\CE576D4B-D57C-3028-CFE2-D96473361DD8\\StopTest’));if(!window.flag)close()</script>”

The application also attempts to read system certificates by accessing the corresponding registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES

We also witnessed other pieces of malware being distributed using the same set of domains and malvertisments, not limited to Gozi derivatives, using the hash 61e2f9029baf7ce21d8de2eddea55405f20ed5db26ecbdaea42404ca28a08d7c:

Conclusion

This isn’t the first time that AnyDesk users have been the target of a phishing campaign featuring malicious remote access software. Large IT service companies need to be constantly aware of similar attack vectors featuring malicious replicas of popular software applications.

We’re passing our research onto Google and AnyDesk, and populating our custom threat feeds with the Gozi download URLs, related IPs and C2 servers we discovered.

Visit silentpush.com to find out more about the world’s leading early-detection platform.

Follow us on LinkedIn and Twitter for weekly threat intelligence updates and research.

Download our Community version and take advantage of the largest free library of SaaS-based threat defence tools available anywhere on the Internet.

IoCs

• anydesk-access[.]com
• reggy505[.]ru
• iujdhsndjfks[.]ru
• 94.198.54[.]97
• gameindikdowd[.]ru
• jhgfdlkjhaoiu[.]su
• 94.198.54[.]97

Background

Malwarebytes recently published a blog post uncovering a malvertisment campaign that used domain cloaking tactics to redirect users to fake Microsoft Windows Defender support pages, that act as a front for a tech support scam.

Our Threat Analysts have conducted further research and discovered that the majority of malicious domains included in the report’s IoCs were hosted on the same four IP addresses, featuring similar network IDs:

• 188.114.97[.]3
• 188.114.97[.]2
• 188.114.96[.]12
• 188.114.96[.]2

Using Silent Push to reveal additional IoCs

Through enriched scans of the threat actor’s public DNS information, we uncovered a large amount of previously unexplored data, along with IoCs relating to the original campaign – both on the same IP ranges and hosted on separate infrastructure.

Our research uncovered numerous additional attack vectors, not limited to the original tech support scam.

We found a variety of fake support page formats, malicious executables and fake browser extensions, suggesting a far broader threat landscape than that which was included in Malwarebyte’s original report.

Let’s take a look at what we found, and how we found it.

Navigating the attackers’ domain infrastructure

To target previously undocumented IoCs, we performed a customised scan of the above IPs, which flagged olalee[.]sbs as a malicious domain:

olalee[.]sbs redirects to 51.159.142[.]92, providing us with an entire subnet to investigate.

Exploring the threat landscape using Silent Push Reverse A record lookups

Using Silent Push’s Reverse A lookup tool (available on our free Community app), we discovered that all TLDs on the 51.159.142[.]92 subnet containing the characters .xyz, .sbs, .click, .cfd, and .cyou hosted malicious campaigns on their associated domain names (see below example):

We also discovered another group of TLDs – .ga, .gq and .tk – either currently residing on 188.114.9x.x (see above), 104.21.17.x and 172.67.176.x, or showing evidence of having used those particular groups of network IDs at some point in the past.

Legitimate hosting platforms affected

The attacker’s infrastructure isn’t limited to suspect hosting sites. We found evidence of fake tech support pages set up through well-known hosting providers such as Cloudflare (originalcenter.pages[.]dev), 000WebHost (unnourished-region.000webhostapp[.]com) and Netlify (microsoft-windows[.]netlify.app):

Analysing the malicious installers

As we navigated through the threat actors’ public DNS infrastructure, we encountered domains that played host to a variety of malicious activities, including fake executable installers, fake browsers and hoax Chrome extensions, with many of the scam domains being passed off as safe by security vendors (see below).

Example installer domain – mantis.edition-eltern[.]com

During our research, we came across mantis.edition-eltern[.]com, masquerading as an Asian discussion forum with branding similar to the now-defunct Yahoo Answers, which shut down in May 2021:

Following the ‘Windows Defender’ link, users are redirected to the below site, prompting a download of what appears to be a Windows Defender installer:

Once clicked, the ‘Download Now’ button redirects again to a malicious Chrome extension:

Querying mantis.edition-eltern[.]com across 91 security vendors returned zero flags:

The Chrome extension fared slightly worse, but only just, appearing in a solitary vendor’s list of malicious apps:

Picking apart the installer’s functions

After conducting further analysis of ChromSetup.exe, we discovered several malicious characteristics:

• An invalid signer

• Forcefully adding itself as a Chrome extension through registry changes:

REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f 

• Initiating a Chrome instance after the extension has been installed, without a corresponding startup window:

"C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --load-extension="C:\apps-helper" --no-startup-window

• Using Powershell commands to create its own text file, in a local directory, and adding the file to ‘Powershell ExecutionPolicy Bypass’, allowing the extension to ignore a built-in safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts.

Powershell.exe -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\is-60CAT.tmp\\chrome.ps1 

Other installer-based attack vectors

Some other installers we encountered masqueraded as adblockers, streaming applications and even standalone web browsers:

The attackers haven’t limited themselves to malicious software downloads.

There’s also evidence of hoax payment portals (redirected from the above streaming site) that initiate browser-hijacking sessions, and embed adware such as static.hotjar:

Uncovering other fake support campaigns

Using enriched data harvested from our daily scans of millions of domains across the entire IPv4 range, we performed further granular searches that identified numerous other fake support pages.

These pages differ visually from the original Windows Defender campaign (or attempt to spoof another vendor entirely) but feature the same angle of attack – a hoax tech support line.

Here’s an example featuring a different language, and an EU telephone number:

Other examples show the attackers targeting McAfee, instead of Microsoft:

Silent Push custom threat feeds

We’ve passed our research on to all the affected organisations – including the legitimate hosting providers that are being used to host malicious content.

We’re currently in the process of creating a custom feed that lists all associated malicious infrastructure, that paid subscribers can integrate with their existing security stack, ensuring early detection and enabling proactive monitoring of the attack surface with data that isn’t seen in other global feeds.

Follow us on LinkedIn and Twitter for weekly threat intelligence updates and research.

To download our free Community app – the largest free library of SaaS-based threat defence tools available anywhere in the world, including some of the queries we’ve mentioned in this report – visit Silent Push Community App — Silent Push Threat Intelligence

Indicators of Compromise

Websites and domains

• lovetechie[.]com
• mail.supporttechwin[.]net/
• microsoft-windows[.]netlify.app
• microsoft-windows-defender-offline.descargasbajar[.]com
• mantis.edition-eltern[.]com
• windows-defender-hub-1.downloadsgeeks[.]com
• windows-defender-hub-1.down4you[.]software
• assistance.pages[.]dev
• unnourished-region.000webhostapp[.]com
• lugyt2[.]tk
• hellboylucy509.000webhostapp[.]com
• originalcenter.pages[.]dev
• falernian-plane.000webhostapp[.]com
• royyu[.]SBS
• lugyt2[.]tk
• alasred[.]click
• fasertshop[.]online
• futuresystemerrors.thevalueformoneywithsolar[.]com
• hellboylucy509.000webhostapp[.]com
• supporttech-win[.]com
• supportfr.pages[.]dev
• gakey.axoneday[.]xyz
• www.olalee[.]sbs
• microsoft-windows.netlify[.]app
• thanforestacion[.]xyz
• hollowpe[.]xyz
• shoughpe[.]xyz
• parfaype[.]xyz
• pishcds[.]xyz
• goalsamsunet[.]xyz
• ariyntpe[.]xyz
• oyezsre[.]cyou
• asafry[.]cyou
• guyle[.]cyou
• eighred[.]xyz
• onuwe[.]cyou
• tyorr[.]cyou
• enoighpe[.]xyz
• kandoura[.]xyz
• opakia[.]xyz
• jogay[.]SBS
• fronttm[.]SBS
• playtm[.]sbs
• queentm[.]sbs
• yeartm[.]sbs
• leoorr[.]sbs
• nedlee[.]sbs
• quothape[.]click
• flattm[.]click
• uhsdl[.]click
• yoickspe[.]click
• pridetm[.]click
• shirttm[.]click
• edlin[.]click
• hartowpe[.]click
• jaykey[.]click
• tiletm[.]click
• alasred[.]click
• hurrahpe[.]click
• begonepe[.]click
• shapetm[.]click
• bofry[.]click
• oraltm[.]click
• misttm[.]click
• royyu[.]sbs
• valgay[.]sbs
• filltm[.]sbs
• olalee[.]sbs
• leakim[.]click
• ringtm[.]click
• alray[.]click
• aunttm[.]click
• evamay[.]click
• papertm[.]click
• halli[.]click
• tylee[.]sbs
• eliray[.]sbs
• bokim[.]sbs
• pamho[.]click
• nedpee[.]sbs
• sallin[.]cfd
• wmday[.]cfd
• guylam[.]cfd
• wavetm[.]cfd
• kneetm[.]cfd
• sailtm[.]cfd
• asafox[.]cfd
• cordtm[.]cfd
• ridertm[.]cfd
• leegay[.]cfd
• buyertm[.]cfd
• iuyw[.]cfd
• egadsre[.]cfd
• eventtm[.]cfd
• goaltm[.]cfd
• dutytm[.]cfd
• louwu[.]cfd
• leoorr[.]cfd
• angertm[.]cfd
• joliu[.]cfd
• loufox[.]cfd
• alorr[.]cfd
• errorlogwiththechecker[.]xyz/
• rodmay[.]sbs
• taawatchtuttlect[.]tk
• compcadisp[.]ga
• exarber[.]gq
• taoriohaybras[.]tk
• cepphonand[.]gq
• tranmalirilinkwor[.]tk
• arbalsafedager[.]tk
• nestibufecomsoft[.]cf
• preseptic[.]tk
• mispnonpstarcupimcomp[.]tk