A “giant and resilient infrastructure” comprising over 250 domains is getting used to distribute information-stealing malware reminiscent of Raccoon and Vidar since early 2020.
The an infection chain “makes use of a few hundred of faux cracked software program catalogue web sites that redirect to a number of hyperlinks earlier than downloading the payload hosted on file share platforms, reminiscent of GitHub,” cybersecurity agency SEKOIA mentioned in an evaluation printed earlier this month.
The French cybersecurity firm assessed the domains to be operated by a risk actor working a site visitors path system (TDS), which permits different cybercriminals to lease the service to distribute their malware.
The assaults goal customers trying to find cracked variations of software program and video games on engines like google like Google, surfacing fraudulent web sites on prime by leveraging a way referred to as SEO (web optimization) poisoning to lure victims into downloading and executing the malicious payloads.
The poisoned outcome comes with a obtain hyperlink to the promised software program that, upon clicking, triggers a five-stage URL redirection sequence to take the consumer to an online web page displaying a shortened hyperlink, which factors to a password-protected RAR archive file hosted on GitHub, together with its password.
“Using a number of redirections complicates automated evaluation by safety options,” the researchers mentioned. “Carving the infrastructure as such is sort of definitely designed to make sure resilience, making it simpler and faster to replace or change a step.”
Should the sufferer uncompress the RAR archive and run the purported setup executable contained inside it, both of the 2 malware households, Raccoon or Vidar, are put in on the system.
The improvement comes as Cyble detailed a rogue Google Ads marketing campaign that employs widely-used software program reminiscent of AnyDesk, Bluestacks, Notepad++, and Zoom as lures to ship a feature-rich stealer referred to as Rhadamanthys Stealer.
An alternate variant of the assault chain has been noticed making the most of phishing emails masquerading as financial institution statements to dupe unwitting customers into clicking on fraudulent hyperlinks.
Fabricated web sites impersonating the favored distant desktop resolution have additionally been put to make use of up to now to propagate a Python-based data stealer dubbed Mitsu Stealer.
Both items of malware are outfitted to siphon a variety of private data from compromised machines, harvest credentials from internet browsers, and steal knowledge from varied cryptocurrency wallets.
Users are suggested to chorus from downloading pirated software program and implement multi-factor authentication wherever potential to harden accounts.
“It is essential for customers to train warning when receiving spam emails or to go to phishing web sites and to confirm the supply earlier than downloading any purposes,” the researchers mentioned.