Cisco Talos observed a malware campaign that is attempting to lure targets into executing fake software installers of popular software on their computers. This threat actor has been active since at least 2018, however, after intermittent activity across 2019 and 2020, it resurfaced in April 2021. 

About the campaign

The attack commences when a target looks for a particular software to download. The researchers suspect that the adversary has set up an advertising campaign that contains links to a web page, offering the download of a software installer. Once installed, the installer executes a malicious loader on the system. The malvertising campaign has targeted users in the U.S., Canada, Spain, Australia, Norway, and Italy. 

What does the installer execute?

  • RedLine and Azorult - password stealers.
  • MagnatBackdoor - a backdoor or backdoor installer that configures the device for stealthy RDP access, adds a new user, and sets a scheduled task to regularly ping the C2.
  • MagnatExtension - a Chrome extension installer that comes with multiple functionalities to steal data from the browser. 

Why this matters

The researchers believe that the malvertising campaigns are a means to reach users interested in software-related keywords. This campaign is gaining momentum as an effective way to harvest information from unsuspecting users. 

The bottom line

These malvertising campaigns are active for three years and delivering previously undocumented malware families - MagnatExtension and MagnatBackdoor. This threat requires several security layers such as endpoint protection, security awareness training, and network filtering. Talos researchers surmise that the threat actor’s aim is to pilfer user credentials, possibly to sell it or use it in future attacks.

Cyware Publisher