Fake VPN checker tool lets hackers bypass antivirus protections

News
By published

Hackers are mixing cache smuggling with identity theft

Hacker with malware code in computer screen. Cybersecurity, privacy or cyber attack. Programmer or fraud criminal writing virus software. Online firewall and privacy crime. Web data engineer
(Image credit: Shutterstock)
  • Attackers use fake Fortinet dialogs and social engineering to trick users into executing malware
  • Cache smuggling hides malware in browser cache, bypassing download and PowerShell detection tools
  • Malware is extracted from fake image files and deployed as FortiClientComplianceChecker.exe

Hackers are using a combination of social engineering, cache smuggling, identity theft, and straight-up bluffing, to bypass common security protections and deploy malware onto victim’s computers, experts have said.

Security researchers Expel, as well as an independent researcher with the alias P4nd3m1cb0y, observed websites pretending to be a pop-up dialog from Fortinet VPN’s “Compliance Checker”.

There seems to be no such thing, other than the ability to configure the FortiClient Compliance Profile within FortiOS. In any case, that dialog instructs the victim to copy what appears to be a path to a file installed on the hard drive, and paste it in File Explorer.

Used by ransomware actors

The path is actually padded with more than 100 spaces, to hide its true purpose - to run a PowerShell command. At the same time, the phishing website executed a JavaScript that instructed the browser to fetch an image and cache it on the file system. This file is not an actual image, but rather hidden malware.

"This technique, known as cache smuggling, enables the malware to bypass many different types of security products," the researchers explained.

"Neither the webpage nor the PowerShell script explicitly download any files. By simply letting the browser cache the fake "image," the malware is able to get an entire zip file onto the local system without the PowerShell command needing to make any web requests."

"As a result, any tools scanning downloaded files or looking for PowerShell scripts performing web requests wouldn't detect this behavior."

The script then scans each cache file for content that’s actually a .ZIP file stored in the fake image, and extracts it to FortiClientComplianceChecker.exe - the actual malware. There was very little talk about who the attackers were, or the victims, but apparently some ransomware actors have already started deploying this tactic in their attacks.

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.