Hackers with an apparently novel sense of creativity have been found hiding malicious code on legitimate platforms such as video and news sites, security researchers are warning.
Cybersecurity researchers from Mandiant have published a new report detailing the campaigns. As per the writeup, a threat actor labeled as UNC4990 was holding malicious payloads in plain sight - in forum user profiles, video descriptions, and similar.
Consumers visiting these websites and pages were at no risk, however. For them, the payload was nothing more than lines of benign text that made no difference.
To turn that text into something dangerous, the attackers deployed a USB drive hosting a malicious .LNK shortcut. When activated, the file executes a PowerShell script called explorer.ps1, which then downloads a secondary payload that decodes to a URL which ultimately downloads and installs the malware downloader EMPTYSPACE.
Finally, EMPTYSPACE downloads QUIETBOARD, a sophisticated backdoor that can run commands, Python code, change the contents of the clipboard, infect removable drives, grab screenshots and system information, and more.
The motives seem to be material, Mandiant says. QUIETBOARD was used, among other things, to monitor the victim devices for cryptocurrency wallets being copied and pasted. In that case, the backdoor would replace the wallet address with the one belonging to the attackers, having the victims send their funds to the wrong recipient. Besides, Mandiant observed hackers using EMPTYSPACE to deliver other cryptocurrency miners, earning at least $55,000 for their efforts.
There are numerous advantages to hiding payloads on legitimate platforms, Mandiant concluded, including the fact that they’re trusted by security systems and allow hackers to hide malicious traffic in a huge stream of otherwise legitimate traffic.
Since the researchers discovered the campaign, most of the malicious code has been removed. However, hackers can simply reintroduce it elsewhere, which is another huge advantage of this approach.
More from TechRadar Pro
- This new Linux malware floods machines with cryptominers and DDoS bots
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.