Cybersecurity researchers from HP Wolf Security warn of active campaigns trying to spread different types of malware (opens in a new tab) Spread to unsuspecting victims through spelled domain names and malvertising.
In a blog post, the team explained (opens in a new tab) How they found out that threat actors created multiple phishing sites impersonating popular software like Audacity, Blender, or GIMP.
Scammers also pay different ad networks to place ads promoting these fake websites. That way, when people search for these programs, search engines may end up serving malicious versions of websites alongside legitimate ones. If users are not careful and do not double check the URL of the website they are visiting, they can end up in the wrong place.
fake installer
If the victim does land in the wrong place, they will hardly notice the difference. These sites are designed to look almost identical to the real site, down to the tiniest of details. In Audacity’s example, the site hosted a malicious .exe file masquerading as a program installer. It is named “audacity-win-x64.exe” and is over 300MB in size.
By being this large, attackers are trying to avoid arousing suspicion (malware is usually measured in KB), while also trying to evade antivirus programs. According to the researchers, the automatic scanning features of some antivirus programs do not scan very large files.
The files were hosted on the 4sync.com cloud storage service, the researchers said, adding that all of the fake installers in this campaign were hosted there, suggesting a good defense mechanism might be to block access to the service entirely .
During the campaign, different types of malware were distributed. The largest campaign researchers have seen uses this delivery method to deploy the IcedID trojan, but the Vidar infostealer, BatLoader, and Rhadamanthys Stealer have all been observed. These activities have increased since last November, according to HP Wolf Security.