Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
January 10, 2023 - TuxCare expert team
According to a Guardio Labs report, “MasquerAds” malware targets organizations, GPUs, and Crypto Wallets by using the Google Ads platform to spread malware to users searching for popular software products.
The threat actors operating the malware are said to set up a network of fake sites that are promoted on search engines. When visitors click on them, they are redirected to a phishing page containing a trojanized ZIP archive hosted on Dropbox or OneDrive.
The threat actors then register the typosquatted domain names with URLs that differ by at least one letter from the original brand. When users click on a MasquerAd, they are taken to a phishing site with a download link to the malicious software, which is usually Racoon Stealer or Vidar.
It then inflicts lethal attacks by leveraging the reach and credibility of Google and well-known software companies. It also makes use of reputable file-sharing services such as Dropbox to distribute the malicious malware. It impersonates legitimate software such as AnyDesk, Dashlane, Grammarly, Malwarebytes, Microsoft Visual Studio, MSI Afterburner, Slack, Zoom, Audacity, OBS, Libre Office, Teamviewer, Thunderbird, Brave, and others.
Meanwhile, Guardio Labs attributes a large portion of the activity to a threat actor known as Vermux, noting that the adversary “abuses a vast list of brands and continues to evolve.”
Guardio Labs’ Nati Tal used the example of a user searching for Grammarly software. When a user searches for “grammarly,” he claims that they may be directed to a URL that differs from the original by only one letter. In this case, “gramm-arly.com”. This site appears to be the official Grammarly website, which leads users to believe it is the real deal.
Visitors are then directed to a legitimate website: Christian Heating and Air Conditioning. When the user clicks the link, the server redirects the user to the phishing site with a new name, but anything downloaded from the impersonating site contains malware. Google does not detect the phishing site because the redirect occurs on the server side.
In addition, a target who downloads Grammarly from the phishing site will receive the legitimate version of Grammarly. However, it comes with an executable file that causes harm behind the scenes. The said malware is m bloated with zero files to exceed 500 MB in size. Furthermore, less than 1% of the code is tainted with malicious snippets. As a result, it can fly under the radar of most detection tools. MasquerAds will then change the malware in their payload on a regular basis, switching suppliers without affecting the downloadable Grammarly.exe file.
The sources for this piece include an article in TheHackerNews.
Learn About Live Patching with TuxCare
According to CyberArk researchers, GPT-based models like ChatGPT can be...
Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...
Deep Instinct researchers reported that RATs like StrRAT and Ratty...
According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...
A remote attacker could exploit multiple vulnerabilities in four Cisco...
In a notable IcedID malware attack, the assailant impacted the...