Cisco Talos researchers have identified malvertising campaigns using fake installers of popular games and applications, such as WeChat, Viber, Battlefield, and NoxPlayer, to lure users into downloading an undocumented, malicious Google Chrome extension and a backdoor.
The objective is to steal data and credentials from the compromised system and maintain remote access. Cisco Talos researchers named this campaign Magnat because the malware payloads are tied to an unidentified actor using the alias Magnat.
About the Attack
Researchers believe that the campaign has been active since 2018, and since then, the malware has been under development constantly. The attacks distribute two forms of undocumented custom-made malware.
According to researchers, victims are lured through malvertising, which involves malicious online ads, to download fake installers onto their systems. These installers do not install the advertised software but three forms of malware, including a password stealer, a malicious browser extension, and a backdoor.
These enable keylogging and capture screenshots of whatever is displayed on the user’s screen. The first activity observed by the researchers was by the end of 2019, and they kept noticing it during early 2020 while fresh instances were observed from April 2021.
Redline Password Stealer and MagnatExtension
In the Magnat campaign, the actors use a password stealer called Redline. This is a common malware known for stealing all the usernames and passwords stored in the infected device.
Researchers noted that Magnat previously used Azorult password stealer and then switched to Redline after Azorult stopped functioning correctly after Chrome 80’s release in Feb 2020.
It is worth noting that in October 2021 and as recently as November 29th, both Redline and Azorult malware were seen in campaigns targeting YouTubers with cooker stealer attacks and abusing legitimate remote access tools to steal cryptocurrency.
The extension uses a hardcoded C2 address, which is quite interesting as it can be updated with a list of additional C2 domains, and if it fails, the C2 falls back to an alternative method of obtaining a new C2 address after performing a Twitter search for hashtags like “#ololo2019 and #aquamamba2019.”
An AutoIt-based backdoor is also used to establish remote access to the device. Users in the USA, Canada, Australia, Spain, Italy, and Norway are the prime targets of Magnat.
“Based on the use of password stealers and a Chrome extension that is similar to a banking trojan, we assess that the attacker’s goals are to obtain user credentials, possibly for sale or for his own use in further exploitation,” Tiago Pereira of Cisco Talos stated in his blog post.
“The motive for the deployment of an RDP backdoor is unclear. The most likely are the sale of RDP access, the use of RDP to work around online service security features based on IP address or other endpoint installed tools, or the use of RDP for further exploitation on systems that appear interesting to the attacker,” Pereira noted.