Malwarebytes has reported a surge in malicious ads that have been detected on Google searches related to Zoom, the widely-used video conferencing software. Cyber threat actors have been strategically rotating between keywords, such as "Advanced IP Scanner" and "WinSCP," which typically appeal to IT administrators. These campaigns, while appearing to target Zoom users, potentially seek victims involved in cryptocurrencies and corporate networks.
Within this context, two distinct cases have emerged according to Malwarebytes -- shedding light on the evolving tactics of these malicious actors:
Case #1: HiroshimaNukes
This case introduces a previously undisclosed loader called HiroshimaNukes, which deploys additional payloads designed for data theft. The loader's objective is to compromise user data through a series of intricate techniques, including DLL side-loading.
Case #2: FakeBat and Hunting Panel
The second case centers on a campaign utilizing the FakeBat loader, accompanied by a tracking mechanism via a control panel referred to as "Hunting Panel 1.40." This panel, hitherto unfamiliar, serves as a tool for monitoring and tracking victims throughout their malicious campaigns.
The threat actors behind these campaigns employ a range of deceptive tactics to avoid detection, including the use of fake identities to create multiple advertiser accounts. They also infiltrate legitimate advertising accounts, potentially compromised, to insert malicious Zoom ads. This combination of tactics has allowed them to generate substantial traffic and lure unsuspecting users into their schemes.
One particularly notable aspect of these campaigns is the use of tracking templates to conceal the redirection mechanism, which can lead to either the legitimate Zoom website or a malicious site. These threat actors exploit services like AppsFlyer and HYROS for their redirections.
Distribution and Malware Payload
Unsuspecting users searching for "zoom" on Google are presented with sponsored results that mimic the official Zoom website. Clicking on these ads triggers the download of a malicious version of the Zoom installer, containing PowerShell scripts that serve as the delivery mechanism for the malware.
The Role of DLL Side-loading
DLL side-loading, a technique used by malware authors to evade detection, plays a significant role in these campaigns. This method involves replacing a legitimate DLL file used by an executable program with a malicious one of the same name and location. In the HiroshimaNukes case, threat actors used this technique to sideload malicious DLLs, posing as legitimate libraries.
Control Panel: "Hunting Panel 1.40"
The discovery of a control panel known as "Hunting Panel 1.40" suggests an advanced level of tracking and monitoring by the threat actors. This control panel allows them to keep tabs on victims and campaign progress.
Protection and Ongoing Vigilance
Malvertising continues to be a favored vector for malware delivery, as threat actors adeptly circumvent ad verification checks and even evade security solutions. Researchers and cybersecurity experts are actively monitoring and reporting on new malvertising campaigns to ensure user protection.
Both consumers and enterprise users are urged to remain vigilant and prioritize robust cybersecurity measures to thwart these evolving threats. The multifaceted nature of these malicious campaigns underscores the need for constant vigilance and proactive defenses against cyber adversaries.