In yet another example of how threat actors are abusing Google Ads to deliver malware, threat actors can use this technique to steal information called a new Windows-based financial Trojan and information-stealing program. Confirmed. lob shot.
Elastic Security Labs researcher Daniel Stepanic said in an analysis published last week, “LOBSHOT continues to collect victims while remaining under the radar.
“One of LOBSHOT’s core features concerns its hVNC (Hidden Virtual Network Computing) component. These kinds of modules allow direct and unsupervised access to the machine.”
The American-Dutch company attributed this malware strain to a threat actor known as TA505 based on the infrastructure historically connected to this group. TA505 is a financially motivated electronic crime syndicate that overlaps with activity clusters tracked under the names Evil Corp, FIN11, and Indrik Spider.
The latest development is significant as it is a sign that TA505, associated with the Dridex banking Trojan, is once again expanding its malware arsenal to carry out data theft and financial fraud.
With early samples dating back to July 2022, LOBSHOT is distributed by deceptive Google ads for legitimate tools like AnyDesk hosted on a network of similar operator-controlled landing pages.
The malware incorporates dynamic import resolution (resolving the names of required Windows APIs at runtime), anti-emulation checks, and string obfuscation to avoid detection by security software.
Once installed, it modifies the Windows registry to set persistence and siphon data from over 50 cryptocurrency wallet extensions present in web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.
Other notable features of LOBSHOT revolve around its ability to remotely access a compromised host via its hVNC module and perform actions covertly without attracting the victim’s attention.
“Threat groups continue to leverage malvertising techniques to disguise legitimate software with backdoors like LOBSHOT,” said Stepanic.
“Although this type of malware may seem small, it packs important features that help attackers act quickly in the early stages of access, with fully interactive remote control capabilities.”
Learn how to stop ransomware with real-time protection
Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.
Save my seat!
The findings suggest that attackers employ malvertising and search engine optimization (SEO) poisoning as a technique to redirect users to fake websites and download trojanized installers of popular software. It also highlights that there is an increase in
According to eSentire data, the actors behind GootLoader have been linked to a series of attacks targeting legal departments of law firms and corporations in the US, Canada, UK and Australia.
GootLoader has been around since 2018 and serves as the first access-as-a-service operation for ransomware attacks. It uses SEO poisoning to direct victims looking for agreements and contracts to compromised WordPress blogs that point to links containing malware.
In addition to implementing geofencing to target victims in specific regions, attack chains can download malware from compromised sites only once a day to avoid detection by incident responders. is designed to
It was discovered by eSentire that GootLoader uses the IP address method to screen already hacked victims, preemptively blocking end-user IP addresses and preventing organizations from potential infection. can be used.
