[BSL2024] Weaponized Ads: A Stealer in Plain Sight - João Godinho
HTML-код
- Опубликовано: 13 дек 2024
- This presentation explores a recent and active malvertising campaign that disguises itself as legitimate software to deliver a malicious stealer payload. We will conduct a technical analysis of the campaign, starting with the infection chain - from a fake ad to an infostealer - and then examine how attackers have set-up their infrastructure to evade detection. The talk will conclude with an overview of the attackers’ activity in the recent months.
In April 2024 we’ve identified suspicious activity from a binary named notion.exe, which triggered an investigation into its origin. Our research revealed that the binary was coming from phishing websites targeting Discord, Notion, Slack and Zoom users. These phishing websites provided a fake installer that ultimately dropped LummaStealer.
Upon further research we discovered that the infection chain was more intricate than expected: it began with sponsored links, followed by a redirect chain to a phishing website. Users would then download a fake installer, which would communicate with an intermediate C2 to fetch a malicious script. This script downloaded a dropper that would then fetch the final infostealer payload.
Even though the entire infection chain process was governed by IP and computer UUID whitelisting, OPSEC failures on the attackers’ part allowed us to gain visibility into their infrastructure. This revealed alarming data on their activities, including a concerning number of potential daily infections.
By the end of this talk, attendees will gain a deeper understanding of how attackers are leveraging ad networks to target unsuspecting victims while avoiding detection by researchers.
About the Speaker:
João Godinho is a Security Researcher with 10 years of experience in the cyber field. He currently integrates the Global Research and Analysis Team (GReAT) at Kaspersky Lab, focusing on tracking and uncovering APT and Crimeware activities. When he’s not hunting malware you might find him flying or hacking stuff.
![[BSL2024] When Malware Becomes Creative - Dimitrios Valsamaras and José Leitão](http://i.ytimg.com/vi/kxQmvWj_E5c/mqdefault.jpg)
![[BSL2024] When Malware Becomes Creative - Dimitrios Valsamaras and José Leitão](/img/tr.png)
![[BSL2024] Inside Google’s Discovery & Remediation of a Critical CPU Vulnerability - Yousif Hussin](http://i.ytimg.com/vi/NaqPmWg71EU/mqdefault.jpg)
![KSI - Dirty [Official Visualiser]](http://i.ytimg.com/vi/VoDh1h1dPUE/mqdefault.jpg)
![[BSL2024] From Buzzword to Battlefield The Cybersecurity Challenges Smart Cities - Marina Bochenkova](/img/1.gif)