Deceptive Tactics through a Fake Windows News Portal

Recent findings reveal a novel malvertising strategy employing counterfeit websites masquerading as legitimate Windows news portals. The primary objective is to propagate a malevolent installation of CPU-Z, a widely recognized system benchmarking utility.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

Jérôme Segura from Malwarebytes notes, “This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection,”

While malvertising operations often resort to creating duplicate websites promoting popular software, the latest activity stands out due to its imitation of WindowsReport[.]com.

This recent development is particularly noteworthy as the deceptive website closely mimics the appearance of WindowsReport[.]com. The primary aim is to mislead unsuspecting individuals searching for CPU-Z on popular search engines like Google. Malicious advertisements are strategically displayed, leading users, upon clicking, to the counterfeit portal (workspace-app[.]online).

Employing a tactic known as cloaking, individuals who are not the intended targets of the campaign are simultaneously presented with an innocuous-looking blog featuring distinctive posts.

A malicious PowerShell script, known as FakeBat (or EugenLoader), is responsible for deploying RedLine Stealer onto vulnerable hosts. This is achieved through the use of a signed MSI installer hosted on a deceptive website.

Malwarebytes’ Jérôme Segura suggests, “It is possible the threat actor chose to create a decoy site looking like Windows Report because many software utilities are often downloaded from such portals instead of their official web page.”

This incident isn’t the first occurrence of deceptive Google Ads exploiting the popularity of well-known software to serve as a conduit for malware distribution. Notably, the precursor to the BlackCat ransomware attack, the updated Nitrogen campaign, was recently disclosed by cybersecurity firm eSentire

The Canadian cybersecurity company has documented two additional campaigns, illustrating the recent trend of various malware families, including NetWire RAT, DarkGate, and DanaBot, being disseminated through the drive-by download technique, guiding users toward questionable websites.

This revelation aligns with the increasing use of adversary-in-the-middle (AiTM) phishing kits, such as DadSec, NakedPages, and Strox, by threat actors. These kits enable the circumvention of multi-factor authentication, providing attackers with control over targeted accounts.

Adding to the complexity, eSentire has highlighted a novel technique named the Wiki-Slack assault. This user-direction attack endeavors to redirect victims to a website controlled by the attacker by modifying the final paragraph of a Wikipedia page and disseminating it through Slack.

Specifically, this technique capitalizes on a quirk in Slack that’mishandles the whitespace between the first and second paragraph,’ leading to automatically creating a link whenever the Wikipedia URL appears in the enterprise messaging platform as a preview.

It’s crucial to highlight that this method is contingent upon the first word of the second paragraph in the Wikipedia page falling within the initial 100 words of the article and being a top-level domain (e.g., in, at, com, or net).

Within these defined parameters, a threat actor could potentially exploit this behavior to weaponize Slack’s preview results, redirecting users to a malicious link upon clicking and exposing them to a booby-trapped website.

“If one does not have ethical guardrails, they can augment the attack surface of the Wiki-Slack attack by editing Wikipedia pages of interest to deface it,” said eSentire.