On Friday, March 10th, 2023, Silicon Valley Bank collapsed. The financial institution’s unexpected failure spread chaos amongst thousands of businesses, including tech companies, VCs, and other banks.

With the failure comes a massive opportunity for crime groups to take advantage of vulnerable companies seeking out information and trying get access to their funds, creating an additional existential threat for all those affected.

Background

The collateral damage caused by SVB’s collapse is most noticeable in the form of countless clients trying to desperately relocate their funds. However, third-party companies with outstanding payments from SVB customers or stakeholders are equally affected, and need to overcome liquidity bottlenecks to pay their bills and stay afloat.

In short, the financial reality of thousands of companies is currently dominated by uncertainty and desperate urgency.

The door for fraud is wide open. Our Threat Analysts are already tracking malicious infrastructure that’s been set up to take advantage of the situation. The risk applies to anyone affiliated with SVB and its clients.

Attack Vectors

Bank and invoice frauds are some of the easiest ways for crime groups to gain quick wins.

Threat actors constantly monitor for major events such as the SVB crash, and exploit the fact that thousands of organizations and individuals need to communicate their banking credentials this week to secure their funds and process payments.

SVB Spoofing

The most obvious targets are those directly affected by SVB’s collapse, i.e. those holding deposits with the bank.

SVB customers need to check in on their funds and most likely transfer them to different accounts outside of SVB.

We’re already tracking a huge spike in domains potentially imitating SVB, many of which we expect to be launching malicious content soon:

Threat actors can use the typosquatted SVB domains to redirect traffic to their infrastructure and add legitimacy to it. We’re also expecting to see spoofing pages imitating SVB’s branding and digital presence to entice users to interact with fake login portals designed to harvest credentials.

We extensively cover the TTPs of brand impersonation here.

We’re expecting phishing emails and messages imitating SVB that target the bank’s clients. These attacks will use urgent messaging and aggressive CTAs to pressure recipients to share private information, or visit fraudulent domains.

Case Study – svb-usdc[.]com

We’ve marked the typosquatted domain svb-usdc[.]com as an active threat.

The domain is part of a cryptocurrency scam that poses as a USDC reward/compensation program for SVB clients.

Most of the phishing page’s content is copied from svb[.]com/private-bank/lending/mortgage-lending:

The button added to the fraudulent page redirects users to a cryptocurrency wallet via WalletConnect:

Case Study – pay.fsvb[.]net

We’ve also discovered malicious SVB-typosquatted domains related to pay.fsvb[.]net. They are likely part of a phishing campaign aimed at misappropriating users’ payment details.

The domains are registered on GoDaddy and make use of the platform’s online payment option:

Fake refunds

Many individuals and organizations not directly affiliated with SVB are still affected by the crash, and are now waiting for potential pay-backs, refunds, and insurance claims.

We’re also seeing companies struggling with liquidity bottlenecks, meaning entire staff, as well as third-party clients, are dealing with with frozen salary and services payments.

Threat actors have the opportunity to imitate a variety of organizations and institutions offering supposed financial support, aid, and compensation. As above, this can be either achieved through simple typosquatting or combined with brand spoofing and phishing campaigns.

It is also likely for unaffected individuals to be targeted under the pretext that they are, in fact, eligible for monetary compensation.

Case Study – redemptions-circle[.]com

We uncovered additional infrastructure associated with the cryptocurrency fraud mentioned above. The related domains impersonate Circle, and were registered after the company announced they had $3.3bn of their USDC cash reserves with SVB.

The phishing pages urge users to connect their crypto wallets to reclaim USDC:

We’ve also discovered pages displaying SVB’s logo in combination with Circle’s branding.

Invoice fraud & requests to change payment information

Invoice fraud consists of threat actors posing as a company’s supplier and requesting payment on their behalf.

This is often combined with an explanation as to why the funds need to be transferred to a different bank account than was previously used.

Following SVB’s failure, thousands of companies will have to forcefully change banks, and thus thousands of their clients can expect updated invoices and payment requests.

Some may still be unsure as to whether or not their suppliers are affected by the SVB collapse, and will be awaiting updates.

Threat actors will use this opportunity to contact companies and request payments to new recipient accounts, using the excuse that payments via SVB are now impossible.

Additional factors

Lack of two-factor authentication

SVB does not enforce 2FA, making both itself and its deposit holders far more vulnerable to fraud and security breaches.

Once threat actors are in receipt of SVB’s customers’ details, a lack of 2FA means that they do not have to overcome additional security hurdles to gain access to the accounts in question.

Not enforcing 2FA also makes it easier for threat actors to pass off fake login pages as legitimate.

Unusual legitimate behavior mixed with genuine threats

While it is possible for banks (and their clients) to notice suspicious transfers and malicious activity, the environment surrounding SVB almost exclusively encourages irregular account activity.

The current panic will make it easy for threat actors to go unnoticed long before the dust has settled.

Managing the risk

The threat landscape caused by SVBs collapse is extremely aggressive and has the potential to adversley affect countless institutions and organizations.

We’re dedicating our resources to offer real-time insights into the threats and to help companies stay ahead of potential attacks.

Stay informed about SVB imitators

We’ve created an SVB spoofing feed that scans global DNS infrastructure for signs of threat actors imitating the bank.

The feed is automatically updated, and contains all recently registered domains relating to SVB.

Not all domains listed here are malicious or have not yet had malicious activity hosted on them.

Since we expect a spike in fraudulent campaigns in the coming weeks, we’re closely monitoring all associated assets and we’ll flag serious threats as and when they appear.

Protect yourself from impersonation

We’re offering our free typosquatting tool for companies to detect domains and email communication falsely created on their behalf.

SVB’s crash creates an opportunity for impersonation campaigns and attacks targeting a vast number of brands and organizations. We’re encouraging particular awareness of invoice fraud committed in your name.

Impersonation attempts are a liability to you and your assets and can cause lasting reputation damage. Detecting malicious infrastructure before it can facilitate an attack is the best way to keep your organization safe.

Get access to our free community app and typosquatting tool here.

Indicators of Compromise

Below is a categorized list of the IoCs discussed in this article. Please note that the actual number of IoCs is far greater.

We track several malicious groups and threats. Comprehensive lists of real-time IoCs relating to SVB bank and others are available with a Silent Push Enterprise subscription.

Enterprise users can search for IoCs related to this campaign using the tag sp-blog-2023-03-15.

Domains impersonating SVB

svb-usdc[.]com

svb-usdc[.]net

pay.fsvb[.]net

pay.nextsvb[.]com

pay.siliconvalleybankmovie[.]com

pay.siliconvalleybanktradeclaim[.]com

pay.svbbankruptcy[.]com

pay.svbdeposits[.]com

pay.svbrecovery[.]com

pay.wefinancesvbclients[.]com

Domains impersonating SVB and Circle

circle-reserve[.]com

circle-usdc[.]net

claimcircle[.]net

reserve-circle[.]com

usdc-circle[.]net 

Domains impersonating Circle

airdrops-circle[.]com

allocation-circle[.]com

circle-bonus[.]com

circle-gifts[.]co

circle-reserves[.]com

circle-reward[.]com

circle-usdcoin[.]co

circle-usdcoin[.]com

circle[.]tips

circlecustody[.]org

circleusdcoin[.]com

circleusdcswap[.]com

claim-circle[.]org

claimingcircle[.]com

claims-circle[.]xyz

joinus-circle[.]com

redeemable-circle[.]com

redeemed-circle[.]com

redemptions-circle[.]com

Background

Last month we blogged about malvertisement activity involving Russian banking trojans, originating from malicious Google ads.

Attack vectors included search phrases and fake advertisments targeting remote desktop apps and online meeting platforms.

A couple of days after releasing our research the FBI issued a PSA, warning users about brand impersonation activity that uses popular search engines as a tool to distribute malware.

Since then, we’ve been on the lookout for similar activity targeting the type of brands targeted in the initial campaign. We’ve uncovered new attack vectors featuring other spoofing activities not limited to the original campaign.

AnyDesk spoofing

One of the brands targeted in the initial campaign was AnyDesk – the remote desktop platform.

With the help of scanned data from Silent Push’s enrichment query, we’ve kept an eye on the AnyDesk attack vector, among other remote desktop tools.

Throughout our collaboration with MalwareBytes whilst investigating DDOS-Guard, we uncovered a host of phishing domains impersonating AnyDesk software on the same IP infrastructure that hosted multiple spoofing pages targeting MSI After Burner, Trading View, Team Viewer, open source software such as OBS Studio and infostealers including Vidar and Aurora.

Through a combination of enriched data monitoring and granular research into DDOS-Guard’s infrastructure, we’ve kept track of similar infostealer-based threat activity, which has stuck around for the last two months.

In many cases, malware is being hosted on legitimate services such as Dropbox and Discord – domains hosted on 45.15.156[.]55 feature download links to an archive file hosted on Discord.

New attacks vectors

At the time of publication, both Dropbox and Discord have taken down multiple links involved in the campaign, but we are still seeing evidence of numerous new domains that are dropping similar infostealers.

Threat actors seem to be using DDOS-Guard’s services to propagate malicious activity.

We discovered multiple domains hosted on one of its IPs – 186.2.171[.]7 – targeting open-source software platforms such as Blender 3D, Digital Audio Editor Audacity, the Brave browser and the image editor GIMP, among others.

Even the spoofing domains that do not feature open source platforms – such as numerous typosquatted domains targeting the Steam community marketplace CS.Money – host malicious content similar to the spoofed open-source domains.

Infostealers and crypto wallets

In all these cases, download links prompt an install of a version of the Vidar infostealer, which in turn attempts to connect to a Telegram account (t[.]me/jetbim) and a Steam profile steamcommunity[.]com/profiles/76561199471266194

The malware is equipped with evasion capabilities, as well as resulting in a timeout in most open-source sandboxes: 

“C:\Windows\System32\cmd.exe” /c timeout /t 6 & del /f /q “C:\Users\Admin\AppData\Local\Temp\blender-3.4.1-windows-x64.exe” & exit

The infostealer attempts to access a crypto wallet as it tries to read files and directories:

C:\Users\Admin\AppData\Roaming\Electrum\wallets\

C:\Users\Admin\AppData\Roaming\Electrum-LTC\wallets\

C:\Users\Admin\AppData\Local\Coinomi\Coinomi\wallets\

Similar infostealers have been involved in spoofing brand domains redirected from Google ads. We anticipate that these brands will soon be targeted with SEO-poisoned malvertisements.

Cybersecurity-focused social media accounts have recently posted about the open-source Brave browser (one of the brands spoofed on this IP), redirected from Google Ads, which connect with the same Telegram and Steam community account highlighted above, hinting that the campaigns could be linked to the same group of threat actors.

Old campaigns still active with new IoC’s

As global attention turns towards active campaigns, threat actors are showing signs of resilience by moving on to new IoCs and previously unaffected infrastructure.

Banking trojans distributed through fake AnyDesk ads were one of the first malvertisment attack vectors we observed, and new spoofed AnyDesk domains are still being created – wvww.anydeskcom[.]top, featuring the IcedID banking trojan, is only 24 hours old at the time of writing, but the domain is already being distributed through Google ads.

The anydaske[.]website is visible from a Google ad, but the redirect points to a new domain in an attempt to keep one step ahead of researchers and security teams, by creating new IoCs that don’t appear in most global feeds.

Clicking on ‘Download Now’ injects the malicious archive file, containing the IcedID banking trojan.

The domain is hosted on 46.173.218[.]229, which proves the infrastructure consists of domains and brands that were involved in the previous malware distribution campaigns, such as Microsoft Teams, the IRS and Adobe.

Through enriched scanning, we have identified pages being spoofed in numerous different languages, indicating typosquatted domains across multiple distinct global regions.

MetaMask browser extension scam

Malware delivery is not the only attack vector utilised by threat actors looking to abuse search engine platforms with SEO poisoning.

During our Google Ads research, we uncovered a campaign targeting users of the Synapse Bridge Protocol – a popular platform that allows for the transfer of crypto assets between blockchains.

The legitimate Synapse domain asks users to manually connect their crypto wallet of choice to facilitate a secure transaction.

The phishing domain, however, attempts to connect directly with a MetaMask wallet, providing that the MetaMask browser extension is already installed.

Alternatively, the malicious domain asks users to install the extension, if it’s not already enabled in their browser. As the user has been redirected from a legitimate search engine, there is a high chance that many would fall victim to it without manually verifying the correct domain name.

Most domains involved with this scam aren’t flagged on VirusTotal:

Conclusion

SEO poisoning and malvertising are not new techniques, but a recent surge in activity indicates there may be a lot more to come, with numerous new and well-established brands targeted across multiple global regions, languages and applications.

Government authorities such as the FBI have begun to sound the alarm about the rise in cases. Still, the sophistication of the threat actors’ approach and their willingness to switch to new infrastructure means that the number of people affected will inevitably rise.

It’s vitally important for security teams to protect consumers and supply chain operations by deploying proactive modes of defense, including keeping a lookout for any new campaigns utilizing SEO poisoning that are targeting their own or their customers’ infrastructure.

We’ve created a bespoke feed for our paid subscribers to keep one step ahead of threat activity. Our ‘Malvertising Domains’ feed is updated regularly with new IoCs – including suspect domains and IP infrastructure – and we’ll continue to monitor the situation using enriched data from our daily IPv4 scans, featuring billions of nodes across the globe.

Follow us on LinkedIn and Twitter for weekly threat intelligence updates and research.

Key points

• Malvertisment campaigns propagated via Google Ads
• AnyDesk remote monitoring software targeted
• Threat activity linked to Russian C2 servers
• Evidence of other malware hashes using the same methods

Background

Over the last few days, threat intelligence researchers have started to expose an SEO poisoning/malvertisment campaign, that’s attempting to propagate a well-known modular banking trojan – IcedID.

Threat actors are elevating malicious download pages to the front page of a Google search for popular applications, such as Slack and AnyDesk, by exploiting Google Ads:

Uncovered: New Anydesk/Gozi phishing campaign

Whilst creating custom threat feeds targeting middle domains found throughout the IcedID campaign, Silent Push threat analysts uncovered previously unexplored threat activity featuring a similar set of TTPs, but using the Ursnif/Gozi banking trojan – an early C2C progenitor with its roots in the Russian criminal underworld – distributed via a different group of AnyDesk phishing pages.

Google search manipulation

Performing a Google search using ‘anydesk download’ as the base parameter populates a set of results featuring a malicious Google Ad for an AnyDesk domain at the top of the list (anydesk-access[.]com), with the legitimate domain (anydesk[.]com) populated as a non-sponsored result immediately below it:

URL-based attack vectors

Previous AnyDesk malvertisment campaigns have featured legitimate URLs in the ad text. As evidenced above, this group of threat actors have managed to circumvent Google Ad safeguards and publish a malicious URL direct from the ad itself.

Clicking on the Google Ad led us to a download page for the aforementioned Gozi/Ursnif trojan executable, with the name ‘AnyDesk.exe’:

It’s interesting to note that the download link only populates via the Google Ad redirect. If the URL is accessed directly, the link doesn’t appear and the domain loads a graphically different webpage:

Undetected in VirusTotal

This browsing anomaly is likely the reason why, when submitted to VirusTotal, the URL is passed off as legitimate by 91 security vendors:

Traffic analysis

A traffic trace using Fiddler shows a malicious domain redirect after the Google Ad populates an iframe from golunki[.]com:

Further investigation reveals another domain loading fake AnyDesk images, where users are led through several 302 redirects to a malicious file download at 4zuki[.]com:

1. golunki[.]com redirects to tradeview[.]moves

2. tradeview[.]moves triggers a script that redirects to a download link, after populating the main site with fake content:

3. The final download destination – 4zuki[.]com/download/AnyDesk.exe

Executable behaviour

Once downloaded, the trojan (f04469b9a67701e9da38b1d86a10546e) attempts to communicate with four C2 servers featuring Russian TLDs:

• reggy505[.]ru
• iujdhsndjfks[.]ru032p
• gameindikdowd[.]ru
• jhgfdlkjhaoiu[.]su

The executable also attempts a code injection attack that causes disruption by interacting with various Windows processes.

The software scans for the installation path of Microsoft Outlook:

“C:\Windows\System32\mshta.exe”

“about:hta:application<script>Xu0e=’wscript.shell’;resizeTo(0,2);eval(new ActiveXObject(Xu0e).regread(‘HKCU\\Software\AppDataLow\Software\Microsoft\CE576D4B-D57C-3028-CFE2-D96473361DD8\\StopTest’));if(!window.flag)close()</script>”

The application also attempts to read system certificates by accessing the corresponding registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES

We also witnessed other pieces of malware being distributed using the same set of domains and malvertisments, not limited to Gozi derivatives, using the hash 61e2f9029baf7ce21d8de2eddea55405f20ed5db26ecbdaea42404ca28a08d7c:

Conclusion

This isn’t the first time that AnyDesk users have been the target of a phishing campaign featuring malicious remote access software. Large IT service companies need to be constantly aware of similar attack vectors featuring malicious replicas of popular software applications.

We’re passing our research onto Google and AnyDesk, and populating our custom threat feeds with the Gozi download URLs, related IPs and C2 servers we discovered.

Visit silentpush.com to find out more about the world’s leading early-detection platform.

Follow us on LinkedIn and Twitter for weekly threat intelligence updates and research.

Download our Community version and take advantage of the largest free library of SaaS-based threat defence tools available anywhere on the Internet.

IoCs

• anydesk-access[.]com
• reggy505[.]ru
• iujdhsndjfks[.]ru
• 94.198.54[.]97
• gameindikdowd[.]ru
• jhgfdlkjhaoiu[.]su
• 94.198.54[.]97