More fake Windows updates are spreading malware, so watch what you download
A pop-under campaign is delivering a novel dropper
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Researchers have warned of a new cyber scam campaign using fake Windows updates to trick victims into downloading and running the Aurora infostelaer on their devices.
Experts at Malwarebytes recently spotted a malicious advertising campaign leveraging pop-under ads to deliver amalwareloader.
Pop-under ads are a type of ad that loads under thebrowser, and is only visible once the user closes, or moves the browser out of sight. These ads, served mostly on adult content websites with high traffic numbers, are displayed in full-screen, and tell the user that they need to update their device. More than a dozen domains were used in this campaign, it was said.
Protecting your business from the biggest threats onlinePerimeter 81’s Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.
Preferred partner (What does this mean?)
Turkish victims
Those that fall for the trick would download a file called ChromeUpdate.exe which, in reality, is a malware loader called “Invalid Printer”. The researchers are saying that Invalid Printer is a so-called “fully undetectable” (FUD) malware loader, used exclusively by this particular, yet unnamed, threat actor. Once Invalid Printer makes it to the target endpoint, it will first check the graphic card to see if it’s installed on a virtual machine, or in a sandbox. If it determines that the device is a legitimate target, it will unpack and launch a copy of the Aurora infostealer.
Aurora is a piece of malware with “extensive capabilities” and low antivirus detection, its creators claim. In reality, it took antivirus programs a few weeks to start flagging Aurora installs as malicious, Malwarebytes said. Written in Golang, Aurora is on sale on dark web forums for more than a year now. In this particular campaign, some 600 devices were compromised, the researchers believe.
A nasty new infostealer malware is landing in email inboxes>This new malware has emerged from the dark web and is after your data>These are the top ID theft protection tools today
According to Jérôme Segura, director of threat intelligence at Malwarebytes, most victims are Turkish, as every time a new sample gets submitted to Virus Total, it comes from a Turkish user.
“In many instances, the file name looked like it had come fresh from the compiler (i.e. build1_enc_s.exe),” the researcher concluded.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
