This dangerous malvertising campaign mimicks popular software to steal victim info

(Image credit: Elchinator from Pixabay)

Cybersecurity researchers from HP Wolf Security have warned of several active campaigns looking to deliver different types of malware to unsuspecting victims via typosquatted domains and malvertising. 

The team explained in a blog post how they found threat actors creating multiple typosquatted websites impersonating popular software such as Audacity, Blender, or GIMP. 

The scammers also paid different ad networks to run ads, promoting these fake websites. That way, when people search for these programs, search engines might end up serving malicious versions of the websites right next to legitimate ones. If a user isn’t careful and does not double-check the URL of the website they’re visiting, they might end up in the wrong place.

TechRadar Pro needs you! We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Fake installers

If victims do end up in the wrong place, they’ll hardly notice the difference. The websites are designed to look almost identical to the authentic ones, down to the tiniest detail. In Audacity’s example, the site hosts a malicious .exe file masquerading as the program’s installer. It is named “audacity-win-x64.exe” and is more than 300MB in size. 

By being this big, the attackers try to avoid raising suspicion (malware is usually measured in KB), but also try to avoid antivirus programs. According to the researchers, some antivirus programs’ automatic scanning features don’t scan extremely large files.

The files are hosted on the cloud storage service, the researchers said, adding that all the fake installers in this campaign have been hosted there, hinting that a good defense mechanism might be to block access to this service entirely.

In the campaign, different types of malware are distributed. The largest campaigns the researchers have seen used this delivery approach to deploy the IcedID trojan, but the Vidar infostealer, BatLoader, and Rhadamanthys Stealer, have all been observed. According to HP Wolf Security, there’s been an uptick in these campaigns since November last year.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.