Hacked corporate sites and news blogs running using the WordPress CMS are being used by attackers to deliver backdoor malware that allows them to drop several second-stage payloads such as keyloggers, info stealers, and Trojans.
These landing pages are designed to look like a legitimate Google Chrome update page and are used by the attackers to instruct potential victims to download an update for their browser.
However, instead of a Chrome update, the targets will download malware installers that will infect their devices and will allow the operators behind this campaign to take control of their computers remotely.
Once executed, the malware installer drops a TeamViewer installation and unarchives two password-protected SFX archives containing the files needed to open the fake update page and to allow remote connections, as well as a script used by the malware to bypass the Windows built-in antivirus.
Hacking group behind several campaigns
The group behind this attack “was previously involved in spreading a fake installer of the popular VSDC video editor through its official website and the CNET software platform,” as Doctor Web researchers revealed in their analysis published today.
They are also behind an attack that used a fake NordVPN website to infect targets with the Bolik banking Trojan behind the scenes, while actually installing the NordVPN client to avoid raising any suspicions.
While previously, they were using the compromised sites to deliver the final payloads, a banking trojan and the KPOT info stealer, this time they switched to a more complex infection involving a backdoor that enables them to drop other malware.
The attackers use the backdoor to deliver X-Key Keylogger, Predator The Thief stealer, and a Trojan that helps them to control the infected computers over the RDP protocol.
Geolocation used to choose targets
“Target selection is based on geolocation and browser detection. The target audience is users from the USA, Canada, Australia, Great Britain, Israel, and Turkey, using the Google Chrome browser,” the researchers explain.
“It is worth noting that the downloaded file has a valid digital signature identical to the signature of the fake NordVPN installer distributed by the same criminal group.”
The fake Chrome updates come in the form of two different malicious installers named Critical_Update.exe and Update.exe, with the former having been downloaded over 2290 times since it was added to the bitbucket repository used for malware delivery, while the latter has already been pushed over 300 times during the last seven hours onto unsuspecting targets’ machines.