Password-stealing and keylogging malware is being spread through fake downloads

Cyber criminals are using online adverts for fake versions of popular software to trick users into downloading three forms of malware – including a malicious browser extension with the same capabilites as trojan malware – that provide attackers with usernames and passwords, as well as backdoor remote access to infected Windows PCs. 

The attacks, which distribute two forms of seemingly undocumented custom-developed malware, have been detailed by cybersecurity researchers at Cisco Talos who’ve named the campaign ‘magnat’. It appears the campaign has been operating in some capacity since 2018 and the malware has been in continuous development.  

Over half of the victims are in Canada, but there have also been victims around the world, including in the United States, Europe, Australia and Nigeria.

SEE: A winning strategy for cybersecurity (ZDNet special report) 

Researchers believe that victims are tricked into downloading the malware via malvertising – malicious online adverts – that trick them into downloading fake installers of popular software onto their systems. The users are likely to be looking for the legitimate versions of the software, but get directed to the malicious versions by advertising. 

Some of the software that users are tricked into downloading includes fake versions of messaging apps such as Viber and WeChat, as well as fake installers for popular video games like Battlefield.  

The installer doesn’t install the advertised software but instead installs three forms of malware – a password stealer, a backdoor and a malicious browser extension, which enables keylogging and taking screenshots of what the infected user is looking at. 

The password stealer being distributed in the attacks is known as Redline, a relatively common malware that steals all the usernames and passwords it finds on the infected system. Magnat previously distributed a different password stealer, Azorult. The switch to Redline likely came because Azorult, like many other forms of malware, stopped working correctly after the release of Chrome 80 in February 2020

While the password stealers are both commodity off-the-shelf malware, the previously undocumented backdoor installer – which researchers have called MagnatBackdoor – appears to be a more bespoke form of malware that has been distributed since 2019, although there are times where distribution has stopped for months. 

MagnatBackdoor configures the infected Windows system to enable stealthy remote desktop protocol (RDP) access, as well as adding a new user and scheduling the system to ping a command and control server run by the attackers at regular intervals. The backdoor allows attackers to secretly gain remote access to the PC when required. 

The third payload is a downloader for a malicious Google Chrome extension, which researchers have named MagnatExtension. The extension is delivered by the attackers and doesn’t come from the Chrome Extension Store.

SEE: Hackers are turning to this simple technique to install their malware on PCs

This extension contains various means of stealing data directly from the web browser, including the ability to take screenshots, steal cookies, steal information entered in forms, as well as a keylogger, which registers anything the user types in the browser. All of this information is then sent back to the attackers.  

Researchers have likened the capabilities of the extension to a banking trojan. They suggest the ultimate aim of the malware is to obtain user credentials, either for sale on the dark web or for further exploitation by the attackers. The cyber criminals behind MagnatBackdoor and MagnatExtension have spent years developing and updating the malware and that’s likely to continue. 

“These two families have been subject to constant development and improvement by their authors – this is likely not the last we hear of them,” said Tiago Pereira, a security researcher at Cisco Talos. 

“We believe these campaigns use malvertising as a means to reach users that are interested in keywords related to software and present them links to download popular software. This type of threat can be very effective and requires that several layers of security controls are in place, such as endpoint protection, network filtering and security awareness sessions,” he added. 

MORE ON CYBERSECURITY