A new malvertising campaign has been observed wherein threat actors are copying a legitimate Windows news portal to distribute malware.

This type of website is often visited by software enthusiasts and system administrators to stay updated about computer reviews and download software utilities. 

What’s happening?

• Threat actors are leveraging the Windows news portal to promote a malicious installer for the popular processor tool CPU-Z.
• As part of the attack, threat actors employ a cloaking technique that redirects unsuspecting victims to a standard blog page displaying several articles.     
• However, in an actual case, the targeted victim is redirected to a download page that contains a digitally signed MSIX installer to evade detection. 
• Once the user clicks on the installer, a malicious PowerShell script named FakeBat gets executed on the system, which further downloads Redline Stealer. 

Other notable activities observed recently

• Speaking of visual trickery, there has been a notable rise in fake browser update campaigns to propagate Cobalt Strike, loaders, and stealers.
• Recently, Proofpoint traced at least four distinct threat clusters using fake browser updates to distribute malware. 
• One of these threats was linked to the ClearFake campaign that leveraged the watering hole technique to inject malicious JavaScript code into compromised WordPress sites. 
• Victims visiting these sites were unknowingly tricked into downloading malware payloads onto their systems. 

Conclusion

Impersonating popular software has been a go-to-attack vector for cybercriminals to deceive users into installing malware. As for the current case, organizations can stay alert by verifying a software file’s checksum with SHA256 hash sum posted on the vendor’s website. Besides these, organizations can leverage the IoCs, including the malicious domains, and payload URLs, associated with the threat that are available to understand the attack pattern.