Malicious Online Ad Campaign Steals User Logins

Attackers are using malicious online advertising to lure targets to download fake installers in a malware campaign aimed at stealing sensitive information such as account logins, security researchers have said.

The campaign, which researchers at Cisco Talos attribute to a group they call “Magnat”, is effective partly because it targets users who are already looking for software to install.

Credentials stolen by the group have been used in further attacks, including ransomware incidents, Cisco said.

The group targets users who are looking for legitimate software, such as Viber or WeChat, or the popular game Battlefield.

Malicious ads

When users search for a particular piece of software, they’re shown a malicious advertisement that leads to the fake installer, Cisco said.

The Magnat campaign dates as far back as late 2018, with about half of users affected being in Canada. US, Australia and some users in EU countries are also affected.

Cisco uses the name “Magnat” as it appears as a username in the build path of the campaign’s bespoke malware.

“Since this threat delivers multiple different payloads, including information stealers, it can pose a significant threat to enterprises,” said Tiago Pereira, Cisco Talos technical lead of security research, in an advisory.

“We have seen the credentials stolen by these stealers act as an initial infection point for larger attacks, including ransomware incidents.”

Backdoor

Once launched, the fake installer plants a password stealer, a “backdoor” that sets up a stealth Microsoft Remote Desktop Protocol (RDP) session, and a malicious browser extension.

The backdoor, called MagnatBackdoor, enables future RDP sessions which the attackers can make use of themselves, or sell to others.

The stolen credentials are also likely to be destined for sale on hacking forum, Cisco said.

The Chrome extension, which Cisco calls MagnatExtension, has been in development since at least August 2018, and includes functions such as a keylogger, the ability to take screenshots of passwords and a browser cookie stealer.

It appears to users as a security feature called “Google’s Safe Browsing”.

Both the extension and the backdoor are custom-developed for the Magnat campaign.

Password theft

The campaign has used a range of commodity password stealers over time, beginning with Azorult and switching to others after Chrome version 80 disabled many of Azorult’s processes in February 2020.

Magnat has been testing replacements including Vidar Stealer, Gozi and Redline Stealer malware.

Pereira advised enterprises to have multiple layers of security controls in place to combat the threat.

“This type of threat can be very effective and requires that several layers of security controls are in place, such as endpoint protection, network filtering and security awareness sessions,” he said.