Malvertising seems to be enjoying a renaissance as of late, whether it is from ads on search engine results pages or via popular websites. Because browsers are more secure today than they were 5 or 10 years ago, the attacks that we are seeing all involve some form of social engineering.
A threat actor is using malicious ads to redirect users to what looks like a Windows security update. The scheme is very well designed as it relies on the web browser to display a full screen animation that very much resembles what you’d expect from Microsoft.
The fake security update is using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. We wrote a tool to ‘patch’ this loader and identified its actual payload as Aurora stealer. In this blog post, we detail our findings and how this campaign is connected to other attacks.
A convincing “system update”
Windows users are quite familiar with system updates, often interrupting hours of work or popping up in the middle of an intense game. When that happens, they just want to install whatever needs to be installed and get on with their day.
A threat actor is buying popunder ads targeting adult traffic and tricking victims with what appears to a system security update.
Figure 1: A fake system update hijacks the screen
As convincing as it looks, what you see above is actually a browser window that is rendered in full screen. This becomes more obvious when downloading the update file named ChromeUpdate.exe.
Fully Undetectable (FUD) malware
While the file name appears as ChromeUpdate.exe, it uses the Cyrillic alphabet such that certain characters look similar but are different on disk. Its hex representation is %D0%A1hr%D0%BEm%D0%B5U%D1%80d%D0%B0t%D0%B5.exe as can be seen in the image below:
Figure 3: Hex encoding and Cyrillic alphabet
When we first ran the sample into a sandbox, we could not see anything obvious or that it was even malicious. The file would simply run and exit quickly. Over a couple of weeks, we collected nine different samples that looked more or less the same.
We also noticed that the threat actor was uploading each of his new builds to VirusTotal, a service owned by Google, to check if they were being detected by antivirus engines. The first user to submit each new sample always uploaded them from Turkey (country code TR) and in many instances the file name looked like it had come fresh from the compiler (i.e. build1_enc_s.exe).
Figure 4: User submissions to VirusTotal
While VirusTotal is no replacement for a full endpoint security product, with its 70 AV engines it is usually a good indicator to quickly check if a file is malicious or not. For more than 2 weeks, the samples had 0 detection on VT and it wasn’t until a blog post by Morphisec that detections started to appear. This new loader is called Invalid Printer and so far appears to have been used exclusively by this threat actor to bypass security products.
Figure 5: VirusTotal detections coincide with blog release
We actually stumbled upon Morphisec’s blog thanks to Threatray which identified similarities with a file we submitted to their sandbox. The service’s built-in OSINT identified similar samples and linked them with security articles.
Patching the loader
Invalid Printer performs a check on the computer’s graphic card and specifically its vendor ID which it compares against known manufacturers such as AMD, NVidia. Virtual machines and sandboxes in general do not use real hardware and will fail to pass the check.
We were able to patch the samples we had collected and identify their payload. The patch consists of replacing the graphics card check with a random number and always returning true, therefore allowing the file to run in any sandbox.
The automated malware unpacking service from OpenAnalysis UnpacMe now supports properly unpacking samples using the Invalid Printer loader. It allowed us to determine what malware family is being distributed as well as indicators of compromise. For example, one of our samples (31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434) has the same command and control server (94.142.138[.]218) as one mentioned in Morphisec’s blog.
In this specific malvertising campaign, the payload used was the Aurora Stealer, a popular piece of malware that is designed to harvest credentials from systems.
The threat actor is using a panel to track high level stats about visitors to the fake system update web page. Based on the numbers from this panel, there were 27,146 potential unique victims and 585 of them downloaded the malware during the past 49 days.
Figure 9: Panel showing browser visits and downloads
Figure 10: Browser user-agents, IP addresses and geolocation
War and Russia references
We believe there is a single threat actor behind this malvertising campaign and others such as the one Morphisec uncovered. The malware author seems to take a very high interest in creating FUD malware and constantly uploads it to VirusTotal to verify, always using the same submitter profile.
We couldn’t help but notice a possible reference to the war in Ukraine left within the fake Chrome Update page and commented out:
Some of the websites belonging to this threat actor were not loading malware but instead had a single YouTube video promoting the cities and landscapes of Russia:
Additionally, we found some connections with tech support scams and even an Amadey panel that also appears to belong to the threat actor.
Malwarebytes already protected users from this malvertising campaign by blocking the malicious ads involved. We detect the payloads as Spyware.Aurora.
Special thanks to Roberto Santos for help with the sample and binary patching.
Indicators of Compromise
Fake system update page
Invalid Printer samples
Aurora Stealer C2
Amadey Stealer panel
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.