skip to Main Content

New malware campaign leverages compromised sites to spread fake updates

New Malware Campaign Leverages Compromised Sites To Spread Fake Updates

Fire Eye cybersecurity esperts discover a new malware campaign that leaverages compromised sites to spread fake updates with a RAT payload. The aim is to gain control of infected machines

There is a new malware campaign ongoing that leverages compromised sites to spread fake updates. It has been discovered by cybersecurity experts of Fire Eye. In some cases – as the company reports on its blog -, the payload was the NetSupport Manager remote access tool (RAT). NetSupport Manager is a commercially available RAT that can be used legitimately by system administrators for remotely accessing client computers. However, malicious actors are abusing this application by installing it to the victims’ systems without their knowledge. This to gain unauthorized access to their machines. Moreover, the analysts observed two variants of cyber-attack with different persistence mechanisms. In the first variant, the malware author uses a RUN registry entry to remain persistent in the system. In the second, the author uses the shortcut file (named desktop.ini.lnk), which is hosted on the server. It downloads the shortcut file and places it into the Startup folder.

The Infection Vector, masqueraded as Adobe Flash, Chrome, and FireFox updates

The operator behind these malware campaigns uses compromised sites to spread fake updates, masquerading them as Adobe Flash, Chrome, and FireFox updates. As Fire Eye discovered, “When users navigate to the compromised website, the malicious JavaScript file is downloaded, mostly from a DropBox link. Before delivering the payload, the JavaScript sends basic system information to the server. After receiving further commands from the server, it then executes the final JavaScript to deliver the final payload. In our case, the JavaScript that delivers the payload is named Update.js, and it is executed from %AppData% with the help of wscript.exe”.

The full Fire Eye analysis on the fake software update campaign



Back To Top