Thousands of hacked websites unknowingly participate in a sophisticated scheme that uses fake update notifications to install banking malware and remote access Trojans on visitors’ computers. researchers announced on Tuesday.
Running for at least four months, this campaign is capable of compromising websites running various content management systems, including WordPress, Joomla, and SquareSpace. This is according to a blog post by Malwarebytes lead his Malware Intelligence Analyst Jérôme Segura. According to him, the hackers sent a legitimate-looking message to a limited number of visitors to the site telling them to install an update for Firefox, Chrome, or Flash, depending on the browser they were using. to display.
malware bytes
To evade detection, attackers fingerprint potential targets to ensure, among other things, that bogus update notifications are delivered only once to a single IP address. Another piece of evidence of the attacker’s resourcefulness is that while update templates are hosted on hacked websites, carefully selected targets who fall for the scam download malicious JavaScript files from DropBox. is. JavaScript performs additional checks for potential VM and sandbox marks before delivering the final payload. The resulting executable is signed by a digital certificate trusted by the operating system, making the bogus notification appear legitimate.
“This campaign leverages social engineering and relies on delivery mechanisms that abuse legitimate file hosting services,” wrote Segura. “Because the decoy file consists of a script rather than a malicious executable, the attacker has the flexibility to develop interesting obfuscation and fingerprinting techniques.”
flying under the radar
Attackers use highly obfuscated JavaScript to fly under the radar. Malicious software installed in the campaign included Chthonic banking malware and a Trojan horse version of the NetSupport commercial remote access application.
malware bytes
Malwarebytes was unable to pinpoint the exact number of compromised sites. Using a simple crawler script, researchers identified hundreds of compromised WordPress and Joomla sites and estimated that there were thousands of such infections. This query on the source code search engine PublicWWW revealed just over 900 compromised SquareSpace sites on Tuesday. By the time this post was published, that number had dropped to 774. This post by independent security researcher BroadAnalysis shows that the campaign was launched no later than December 20th. The site was hacked because the operator was unable to install or follow through with available security updates. Other basic security measures, Segura said.
Other internet posts also show the campaign in action. This Twitter thread from last month documents two compromised SquareSpace sites. In a post on his SquareSpace support forums on February 28th, another breach was reported, and another site administrator nearly experienced the same thing he did two weeks later.
Campaigns using compromised websites to prey on visitors have become increasingly common over the past decade. These are typically used in computer support scams to trick people into paying money to fix nonexistent computer problems. Recently, compromised websites have been used to secretly mine cryptocurrency ransomware or malware. Combined with the use of banking malware and backdoor Trojans, this fake update scam stands out for its ability to remain hidden for at least four months.
“The cloaking used in this campaign caught our attention because it stands out from other infection chains that are less sophisticated and easier to identify and block,” said Segura. told Ars. “Another interesting aspect is the fact that such bogus updates are usually distributed via malvertising, which is usually cheap. One was tech support scams via browser lockers, which tend to be more serious malware such as stealers and remote administration tools.”
