cryptominers in search results

Last week, Kaspersky Lab experts

published

detailed analysis of a malicious campaign aimed mainly at Russian-speaking users. Links to malicious programs are promoted in search results; the result of installing such software is the complete seizure of control over the system by attackers. Although such attacks cannot be called new, this campaign is of interest both due to its localization (most potential victims are in Russia) and non-standard methods of gaining a foothold in the system.

The attack begins with a click on a link in the search results. As you can see in the example above, a malicious site often appears quite high in the search results in Yandex. Among the popular software exploited by attackers, the authors of the study name uTorrent, Microsoft Excel and Word, Minecraft, and Discord. A web page, as a rule, imitates either the official website of a software developer or popular platforms for distributing pirated software.

The organizers of the attack are not limited to search results. The software is also distributed in a number of Telegram channels. On YouTube, identical malware is distributed in the form of links under English-language videos. This distribution channel most likely uses hacked video hosting accounts. One way or another, the potential victim downloads an archive in ZIP format, inside of which there is an .MSI installer and a text file with a password.

The executable file asks for a password upon startup and does not work without it – this is one of the measures against automatic scanning of the file by security solutions. After entering the correct password, control is eventually transferred to the BAT file, which unpacks the malicious code for the next stage of the attack from the encrypted archive. In addition, another batch file is registered in autorun with system privileges, and a reboot is also initiated.

The next stage of the attack is implemented in a rather unusual way. A legitimate interpreter is used to run a malicious A3X script AutoIT. In addition, the encrypted archive contains a legitimate dynamic library with a valid digital signature. The script for AutoIt in A3X format is embedded in the digital signature of this library:

This approach is interesting because, firstly, it does not harm the legitimacy of the digital signature. Secondly, it does not prevent the script from running, since AutoIt looks for a special signature, and ignores the other contents of the library:

The malicious implant searches for processes that indicate the presence of debugging or security software and tries to terminate them. Next, a set of final payload files is installed. Using the Windows Management Instrumentation system, malicious code elements are regularly launched. Once every three minutes, the netcat utility is executed, the output of which is transmitted to the attackers’ command server. Every 5, 10 and 15 minutes, the following elements of the attack are launched, with a number of components being duplicated for reliability. In addition to WMI, pinning also occurs through registry keys and other methods.

The second unusual feature of this attack is the use of an open source SIEM system Wazuh for remote control of the system and collection of telemetry. Through this legitimate tool, attackers can execute arbitrary commands on the victim’s computer. In addition to this communication channel, the A3X script also transmits information to the organizers through the Telegram channel. The ultimate goal of the attack organizers is to install a Monero and Zephyr cryptocurrency miner.

Kaspersky Lab researchers note the rather high complexity of this massive attack using non-standard tools and methods. Although the main goal is cryptocurrency mining, the malicious campaign is also aimed at stealing cryptocurrency from users by replacing addresses in the clipboard. Of course, this does not exclude other malicious actions. According to Kaspersky Lab, the vast majority of attacks (88%) occur on users from Russia.

What else happened

Another report from Kaspersky Lab experts examines the complex APT attack on organizations in Russia.

Last week it became known about the hacking of the Wayback Machine archive of web pages. The resource was also subject to a DDoS attack and defacement—the following message was displayed to site visitors for some time:

The resource stopped working for several days. The most unpleasant consequence of this combined attack was the leak of the database of registered users – a total of 31 million entries with email addresses and encrypted passwords. The leak of the user base occurred several days before the DDoS attack; the data is current as of September 28 of this year.

Urgent issued on September 9 update Mozilla Firefox browser, which closes an exploitable use-after-free vulnerability in the Web Animations component.

Released another set of patches for Microsoft products. The most serious vulnerability (CVE-2024-43572, 7.8 points on the CVSS v3 scale) closed by this patch relates to the Microsoft Management Console module. The vulnerability was actively exploited at the time of discovery and could lead to the execution of arbitrary code when opening Microsoft Saved Console files. Last week there was also fixed a nasty bug in Microsoft Word 365 that caused documents to be deleted instead of saved.

ESET Company reports about attacks on systems isolated from the network (air-gapped). The malicious activity has been linked to the GoldenJackal group, which was reported last year reported Kaspersky Lab researchers.

Qualcomm Company reports about closing 20 vulnerabilities in its solutions used in popular Android smartphones. The most severe issue (CVE-2024-43047) was found in the audio processing subsystem, and was likely used in targeted attacks at the time of discovery.

The Google Chrome browser has begun warning users of the popular ad blocker uBlock Origin that it will soon stop working. In the near future, extensions that use the Manifest V2 protocol will be blocked in this browser. Users are advised to upgrade to extensions that use Manifest V3, which somewhat limits the capabilities of extensions, including banner ad blockers.

In Palo Alto Networks firewalls discovered several critical vulnerabilities at once, including one with a CVSS rating of 9.9. Successfully hacking a network device can give attackers full access to it, including user data with plaintext passwords.

OpenAI published report on the use of AI services for malicious purposes. Summary of the report: yes, they are actively used, and at all stages of cyber attacks, from writing code to generating texts. In addition, there have been cases of malware being distributed under the guise of a “client for ChatGPT” and attacks on OpenAI employees.