Researchers warn of a new cyber-scam campaign using fake Windows updates to trick victims into downloading and running Aurora infostelaer on their devices.
Malwarebytes experts recently discovered a malicious advertising campaign that uses pop-under ads to deliver a malware loader.
Pop-under ads are ads that load underneath the browser and are only visible when the user closes the page or moves the browser out of sight. Mainly displayed on high-traffic adult content sites, these ads appear in full screen and inform the user that they need to update their device. More than a dozen domains were said to be used in this campaign.
Those who fall for this trick will download a file called ChromeUpdate.exe, which is actually a malware loader called “Invalid Printer”. Researchers claim that Invalid Printer is a so-called “Fully Undetectable” (FUD) malware loader used exclusively by this particular, as yet unnamed, cybercriminal. When the Invalid Printer reaches the target endpoint, it will first check the graphics card to see if it is installed in a virtual machine or sandboxed. If it determines that the device is a legitimate target, it will unpack and run a copy of the Aurora infostealer.
Aurora is malware with “extensive capabilities” and low antivirus detection, according to its creators. In fact, it took several weeks for antivirus programs to start labeling Aurora installations as malicious, Malwarebytes said. Written in golang, Aurora has been sold on Dark Web forums for over a year. Researchers believe that around 600 devices were compromised in this particular campaign.
According to Jérôme Segura, Director of Threat Intelligence at Malwarebytes, most of the victims are Turkish because every time Virus Total receives a new sample, it comes from a Turkish user.
“In many cases, the file name looked like it came straight from the compiler (i.e. build1_enc_s.exe),” the researcher concluded.
By: Beeping Computer