Why is it important: Cybercriminals are constantly analyzing the technological space in search of new ways to exploit users and obtain their personal data. In the past, phishing attacks have been used to trick users into providing sensitive information by posing as a trusted source and requesting user details. But according to threat intelligence organization Cisco Talos, the new malware campaign is gaining traction as an effective method of collecting information from unsuspecting users.
Known as malicious advertising, Cisco Talos Intelligence believes that a particular campaign known as “Magnate“uses fraudulent online advertising to trick users into looking for legitimate software installers. The Cisco Threat Intelligence team believes the Magnat campaign may have started in late 2018 and is targeting users in Canada, the United States, Australia and some other European countries.
As soon as the user is directed to the rogue download, he launches a fake installer that deploys three different malware programs on his system. While the fake installer proceeds to install several malicious components, it does not install the actual application that the user was originally looking for.
The first malware is a password stealing tool used to collect user credentials, often with a common tool known as Red line… Another malware known as MagnatBackdoor establishes remote access to a user’s device via Microsoft Remote Desktop. This access, combined with user credentials stolen by Redline (or a similar tool), can provide unhindered access to the user’s systems despite being protected and protected by a firewall. The final part of the malware trio is a Chrome browser extension known as MagnatExtension, which is used for keyloggers, taking screenshots of sensitive information, and more.
August 2021 tweet provided screenshots and uploaded samples of the alleged malicious ad campaign. Talos analyzed the samples mentioned in the tweet and confirmed that at least one sample contains the malicious components MagnatBackdoor, MagnatExtension and Redline.
.zip -> .iso -> .exehttps://t.co/J5npamHM1P
Creates a new user account, redirects the RDP port, dumps RDPWrap … Damn.
– Aura (@SecurityAura) August 9, 2021
Talos believes Magnat tools have been developed and improved over the years and there will be no signs of slowing down anytime soon. The name of the installation package is constantly evolving and usually refers to the names of popular applications to give confidence and force users to deploy the package. Examples of past package names include viber-25164.exe, wechat-35355.exe, build_9.716-6032.exe, setup_164335.exe, nox_setup_55606.exe, and battlefieldsetup_76522.exe.
Image Credit: Magnat malware schema by Cisco Talos