A new malware known as ‘LOBSHOT’ distributed using Google ads allows threat actors to stealthily take over infected Windows devices using hVNC.
Earlier this year, BleepingComputer and numerous cybersecurity researchers reported a dramatic increase in threat actors utilizing Google ads to distribute malware in search results.
These advertising campaigns impersonated websites for 7-ZIP, VLC, OBS, Notepad++, CCleaner, TradingView, Rufus, and many more applications.
However, these sites pushed malware instead of distributing legitimate applications, including Gozi, RedLine, Vidar, Cobalt Strike, SectoRAT, and the Royal Ransomware.
LOBSHOT distributed by Google ads
In a new report by Elastic Security Labs, researchers revealed that a new remote access trojan named LOBSHOT was being distributed through Google Ads.
These ads promoted the legitimate AnyDesk remote management software but led to a fake AnyDesk site at amydeecke[.]website.
This site pushed a malicious MSI file that executed a PowerShell command to download a DLL from download-cdn[.]com, a domain historically associated with the TA505/Clop ransomware gang.
This site pushed a malicious MSI file that executed a PowerShell command to download a DLL from download-cdn[.]com, a domain historically associated with the TA505/Clop ransomware gang.
However, Proofpoint threat researcher Tommy Madjar previously told BleepingComputer that this domain had changed ownership in the past, so it is unclear if TA505 is still using it.
The downloaded DLL file is the LOBSHOT malware and will be saved in the C:ProgramData folder and then executed by RunDLL32.exe.
“We have observed over 500 unique LOBSHOT samples since last July. The samples we have observed are compiled as 32-bit DLLs or 32-bit executables typically ranging around 93 KB to 124 KB,” explains the Elastic Security Labs report.
Once executed, the malware will check if Microsoft Defender is running, and if detected, terminate execution to prevent detection.
However, if Defender is not detected, the malware will configure Registry entries to start automatically when logging in to Windows and then transmit system information from the infected device, including running processes.
The malware will also check for 32 Chrome cryptocurrency wallet extensions, nine Edge wallet extensions, and 11 Firefox wallet extensions.
After enumerating the extensions, the malware will execute a file in C:ProgramData. However, as that file did not exist in their analysis, Elastic is unsure whether it’s used to steal the extension data or for some other purpose.
While stealing cryptocurrency extensions is common, Elastic also found that the malware included an hVNC module, allowing the threat actors to quietly access an infected device remotely.
Stealthily controlling victims’ devices
hVNC, or hidden virtual network computing, is a VNC remote access software modified to control a hidden desktop on the infected device rather than the main desktop used by the device’s owner.
This allows a threat actor to remotely control a Windows desktop computer without the victim knowing it is happening.
Elastic says LOBSHOT deploys an hVNC module that allows the threat actors to control the hidden desktop using their mouse and keyboard as if they were in front of it.
“At this stage, the victim machine will start sending screen captures that represent the hidden desktop that is sent to a listening client controlled by the attacker,” explains Elastic.
“The attacker interacts with the client by controlling the keyboard, clicking buttons, and moving the mouse, these capabilities provide the attacker full remote control of the device.”
Using hVNC, the threat actors have complete control over the device, allowing them to execute commands, steal data, and even deploy further malware payloads.
As AnyDesk is commonly used in business environments, the malware is likely used for initial access to corporate networks and to spread laterally to other devices.
This type of access could lead to ransomware attacks, data extortion, and other attacks.