Malvertising campaigns mimicking popular software downloads to infect users and steal credentials, HP Wolf Security reports
February 2023 by HP Wolf Security
The HP Wolf Security Threat Research Team has just released detailed analysis of several major malvertising campaigns, which use legitimate advertisements on search engines to direct users to highly convincing spoof websites for well-known software – including Audacity, Teams, discord and adobe – tricking users into downloading malware onto their PCs.
• Oh, the audacity! – cybercriminals spoofed the website of popular audio editing software, audacity, to make it look almost identical to the real page (image below); aside from the typo in the web address (it reads Audacite instead of Audacity). When users click on the download button, it distributes the Vidar Stealer malware to their machine and steals their credentials from other applications.
o Interestingly, cybercriminals have artificially inflated the malicious file size to be 343 MB, which exceeds the limit to some antivirus scanners, making the attack more likely to evade detection tools.
o The Vidar Stealer campaign has also been seen mimicking popular software, like the Blender design app or the Gimp image editor.
• Watch your downloads – HP has also seen IceID campaigns have also been using the same approach to direct users to fake pages for popular software sites like Teams, Discord, and Adobe?, before convincing users to click on a malicious .ZIP file that downloads IceID to compromise the machine.
o This has been occurring on a large scale – over a two month period 92 fake domains were identified that had been – or still could be – used to distribute IceID.
To protect against these campaigns, Patrick Schläpfer, Malware Analyst at HP Wolf Security offers the following advice:
“It is vital to check the URL of the accessed website for typos. This is not always easy to see, but if you take a closer look, you can easily spot differences to the legitimate domain. Software should only be downloaded from trustworthy sources to reduce the probability of getting infected with malware.
“Many organizations use software distribution systems, which means that the software does not have to be downloaded by the end user but is provided by the system administrator. If you even block the download of such software for end users, you greatly limit this attack vector and are even more protected against such attacks.”