Google Ads Used to Push Fake Google Chrome Installer

google ads, Google Chrome, malware, Ophtek, SecTopRat, security software, security_updates, , , , , ,
25
Mar 2025

Cybercriminals are exploiting Google Ads to distribute malware disguised as a genuine Google Chrome installer, tricking users into downloading the malware.

Threat actors are always innovative, and this recent attack underlines exactly why you need to be on your guard when online. Attackers have been purchasing ads which appear when PC users search for popular software downloads e.g. Google Chrome. Unfortunately, the ads which are served up lead to dangerous websites which closely resemble official download pages. This deception tricks users into downloading and installing malware.

As we spend a high proportion of our work time online, we’re going to dig deep into this attack to see what we can learn.

How Can Google Ads Compromise Your PC?

In this attack, users searching with terms such as “download Google Chrome” might find themselves confronted with a sponsored ad at the top of their search results. This ad can, at first, appear genuine, often having a URL which includes “sites.google.com” – a Google platform used to build free websites. Accordingly, users feel confident that these pages are official and trustworthy, especially when they look very similar to official download sites.

Once a user clicks the ad, they’re redirected to a malicious page which is a highly convincing imitation of the official Google Chrome download site. This page urges users to download a file named “GoogleChrome.exe” and, so far, everything appears as you would expect. With nothing unusual to suspect, users make the decision to trust the page, download the file, and then launch it.

However, once executed, the installer begins to act suspiciously. Firstly, it connects to a remote server to retrieve additional instructions. Secondly, it requests that they user grants it administrative privileges to assist in completing the download. At this point, alarm bells should start ringing, but most users still feel as though the software can be trusted. Once administrative privileges are granted, the installer executes a PowerShell command which prevents Windows Defender from scanning the malware’s location, enabling it to operate quietly in the background.

A further file is then downloaded to the BackupWin directory and, masquerading under the name of a genuine piece of software, opens up a communication channel with the threat actors’ remote server. The malware used is SecTopRAT, a Remote Access Trojan which allows the attackers to take remote control of the infected system and steal sensitive data such as capturing keystrokes, accessing files, and recording user activities.

Protecting Against the SecTopRAT Threat

Your employees are busy with their daily tasks and, therefore, it’s easy for them to have a lapse of judgement and quickly click on something they believe to be genuine. However, this can be disastrous for your IT infrastructure, so it’s crucial that your staff are mindful of the following:

  • Be Cautious of Sponsored Ads: Just because an ad is that the top of the search results, this doesn’t mean it can be trusted. This is why it’s important to always verify the authenticity of a URL before clicking it. Check for any unusual spellings or, to be fully safe, navigate directly to the official website for that software.
  • Only Download from Official Sources: The best approach is to always head straight to the developers website rather than trusting other online sources. Aside from sponsored ads, it’s critical that your team avoids downloading via links in emails or through torrent sites – both of these sources often lead to nothing but malware.
  • Keep Your Security Software Updates: One of the simplest ways to thwart attackers is to make sure your security software is up to date. This software regularly scans your system for threats, but it needs to be updated as soon as possible to detect the latest threats.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Malicious Code Found Embedded in Steam Downloads

anti-malware_software, malware, Ophtek, PirateFi, security, Steam, vidar, , , , ,
18
Mar 2025

A malicious game on Steam called PirateFi was found to contain malware which steals personal information, highlighting the risks of unverified downloads.

A recent attack involving a game on Steam has highlighted the importance of vigilance when downloading software. The game, called PirateFi, was available to download on Steam – an online platform for buying and playing games – but contained malware designed to steal personal data from players’ computers.

Pirates Strike Gold on Infected Systems

PirateFi – which was a free to play game – was developed by Seaworth Interactive and available on Steam from February 6th to February 12th, 2025. Promising an engaging and challenging survival experience, setting players objectives such as base building, food gathering, and making weapons, PirateFi was downloaded by around 1500 players and generated numerous positive reviews.

However, it was soon discovered that PirateFi was not simply a game meant to excite players and take their minds off the real world. Reports soon emerged that the game contained malware known as Vidar, a data-stealing program. Vidar is designed to harvest sensitive data from infected computers, so this could easily include passwords, financial information, and personal documents. Rather than Vidar being bundled with PirateFi as bloatware, Vidar was embedded within the game’s files, allowing it to be launched when the game was started.

Valve, the company behind Steam, quickly removed PirateFi from their platform on February 12th, when the threat was identified. They were also swift in issuing security notifications to those who had downloaded the game. Valve’s advice was, for those who had downloaded PirateFi, to run a full system scan using up-to-date antimalware software to detect and remove any dangerous files. Alternatively, Valve suggested that those at risk fully reinstalled their operation system to ensure Vidar was completely removed.

Staying Safe from Dangerous Downloads

This attack underlines the ingenuity and evolving tactics of threat actors, who are increasingly targeting popular platforms like Steam and GitHub to distribute their malware.

By disguising their malware as legitimate tools on these platforms, the threat actors are exploiting the trust users place in these websites. For a threat actor, this is fantastic as it opens up their attack to a huge audience. However, for a user it’s highly frustrating and dangerous. Accordingly, you need to practice the following to remain safe:

  • Be Cautious with Unverified Software: Before downloading and installing new software, especially from lesser-known sources, always take the time to research the application. Seek out reviews from reputable sources and check for any reports of malicious activity relating to the software.
  • Keep Your Security Software Updated: Ensure that your antivirus and anti-malware programs are always up to date. Regularly scan your system for potential threats, particularly after installing new applications. Updated security software can detect, quarantine and delete the latest malware threats before they can take hold of your system.
  • Monitor for Unusual Activity: Always be mindful of any suspicious activity on your networks, such as unusual drops in performance, unfamiliar programs executing, or unauthorized access to your accounts. If you notice signs such as these, there’s a chance that your network has been breached.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

United States Cyber Command Has Halted All Operations Targeting Russia

cyber attacks, Cyber Security, Kremlin, National Cybersecurity Strategy, NATO Allies, Ophtek, Pete Hegseth, Russian Hacker, Ukraine, US Cyber Command, , , , , , , ,
10
Mar 2025

In a shock move, U.S. Defense Secretary Pete Hegseth has ordered Cyber Command to stop all cyber operations against Russia.

The Shift in Policy

On February 28th 2025, Secretary of Defense Pete Hegseth issued a directive ordering US Cyber Command to immediately call off all offensive cyber operations which target Russia. This order was communicated directly to Cyber Command’s leader, Gen. Timothy Haugh, who then instructed his teams to stand down. It was a decision which reportedly took many within the Department of Defense by surprise. Many ongoing cyber operations against Russian state-sponsored hacking groups had been in progress for some time, so the increased risk of cyberattacks was a major concern.

Established in 2010, Cyber Command has played a key role in US cybersecurity strategy for 15 years. From protecting cyberspace through to disrupting Russian cyber threats and state-backed hacking campaigns, Cyber Command has played a major role in preventing attacks which have targeted government infrastructures and private companies. It’s important to note, however, that while Cyber Command’s operations against Russia have been put on hold, other US intelligence agencies are still permitted to monitor and collect information on Russian activities online.

Why Were US Cyber Operations Stopped?

Hegseth’s directive has caused equal measures of concern and intrigue. It was a move which no one saw coming and the objectives remain unconfirmed. The main reason behind the decision appears to be a shift in foreign policy by the new administration. President Donald Trump has long been open about his desire to build diplomatic bridges with Russia, which have been tense since Moscow’s 2022 invasion of Ukraine. Trump has promised his electorate he will put a swift end to the war in Ukraine but appears to be taking the side of Russia by blaming the conflict on Ukraine.

Many suspect that, by ending cyber operations against Russia, the US administration aims to demonstrate an end to hostilities between the two nations, with the Kremlin benefitting significantly from this act of goodwill. Nonetheless, many critics are arguing that this move weakens the defenses of the US and encourages Russia to continue its cyberattacks without consequence.

Is US Cybersecurity Now at Risk?

The ramifications of this controversial decision have the potential to be far-reaching. National security has long relied on cyber strategies and operations to protect US interests. Russian cyberattacks have been plentiful in recent years, with 2024 seeing Russian hackers striking critical US infrastructures. Accordingly, the ongoing presence of Cyber Command has been crucial in countering Russian attacks in the digital landscape. Experts fear that suspending these activities could have several consequences:

What Has the Reaction from the Digital Community Been?

Understandably, this news story has caused major debate amongst politicians, journalists and commentators in the digital community. Strong opinions have been voiced, and the internet has been ablaze with polarizing comments.

Lawmakers from Congress have criticized the decision and compared it to removing the military’s ability to defend itself against aggressive action in war. At the same time, cybersecurity experts have condemned the move and pointed at the obvious fact that Russia now has free rein to target critical infrastructure in the US. Commentators on Reddit have been much harsher, with conspiracy theories swirling that Russian executives have infiltrated the Trump administration.

The Immediate Future of US Cybersecurity and Russia

For now, Cyber Command is following orders and has ceased its offensive operations. However, it remains unclear whether this is a temporary move or part of a long-term strategy. If Russian cyber activity increases significantly, surely there will be a change in policy. Only time will tell.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Vulnerable ASP.NET Keys Used to Unlock PC Security

ASP.NET keys, malicious code, malicious ViewState, Microsoft, monitor applications, Ophtek, System Updates, , , , , ,
04
Mar 2025

Attackers are exploiting exposed ASP.NET keys to inject malicious code into web applications, leading to unauthorized access and potential data breaches.

Microsoft has announced that a major security issue has been identified where cybercriminals are taking advantage of publicly available ASP.NET machine keys. These keys, usually used to secure web applications, are being altered to insert harmful code, compromising the security of affected systems.

What is ASP.NET and How Does it Work?

ASP.NET is a free framework developed by Microsoft to help people build web applications and services. Part of this framework involves a feature called ViewState, used to help web pages remember user data and maintain this information across different sessions. To protect this data, ASP.NET uses machine keys such as ‘validationKey’ and ‘decryptionKey’ to ward off any malicious activities. These keys are used to encrypt and validate the data, ensuring it remains secure and confidential.

However, an investigation by Microsoft’s Threat Intelligence team has discovered that some developers are copying these machine keys from online sources, such as repositories, and using them in their own applications. This practice quickly becomes a risk when the same keys are reused across multiple applications or when they can easily be found. These scenarios allow threat actors to find these keys and use them to create malicious versions of ViewState data.

How has ViewState Been Compromised?

When a threat actor gets hold of a machine key used by a target application, they can create a malicious ViewState – this is a piece of data typically trusted by the application and won’t ring any alarm bells. The malicious ViewState is sent to the server through a POST request. As the ViewState is signed with the correct machine key, the receiving server believes it’s genuine. Once this data has been received and processed, the server unknowingly executes the malicious code embedded within the ViewState.

This method grants threat actors remote access to the compromised server and free rein to execute any processes they want. So, for example, the threat actors could download additional malware, steal sensitive information, and take full control of the server. In one case, the attackers used this technique to launch a cryptocurrency miner on a compromised server. This allowed the threat actors to take control of any PCs on the infected server and use their resources to generate digital currencies. This may sound harmless but it’s at the expense of the PCs performance.

Protecting Yourself from Malicious ViewState

ASP.NET is highly popular and is used by countless websites, so it’s important that we understand the best way to protect users of the framework. Here’s Ophtek’s three top tips for safe usage of ASP.NET:

  1. Use Unique and Secure Keys: Developers using ASP.NET should generate unique machine keys for each application. Always avoid copying keys from online sources or reusing them in other applications. This practice ensures that even if one application’s key is compromised, others remain secure.
  2. Regularly Update Systems: It’s paramount that, as with all software, your web applications and servers are up to date with the latest security patches. Regular updates help you address zero-day vulnerabilities and reduce the risk of your IT infrastructure being compromised.
  3. Monitor Application Activity: You should always use monitoring tools to keep an eye on application behavior. Unusual activities, such as unexpected POST requests or unauthorized installs, can be early indicators of a developing attack. By conducting regular audits, you can increase your chances of stopping an infection before it causes damage.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Lazarus Exploits Open-Source Software and Infects it

cyberattack, data-stealing malware, Lazarus, North Korea, Ophtek, SecurityScorecard, , , , , ,
25
Feb 2025

North Korean hackers from the Lazarus Group have launched a major cyberattack by cloning open-source software and infecting it with malware.

A recent cyberattack has found the North Korean hacking group Lazarus targeting software developers by modifying open-source tools to include malware. Open-source software, freely available for anyone to use or modify, has become a crucial part of software development. However, Lazarus exploited this understanding by injecting malicious code into genuine software. This led to numerous systems becoming compromised, particularly those used by developers in the Web3 and cryptocurrency industries.

Lazarus Attacks Open-Source Software

SecurityScorecard, a cybersecurity organization, discovered that Lazarus had carried out a supply-chain attack known as “Phantom Circuit.” Lazarus selected popular open-source projects to target and embedded malicious code into them. These compromised tools were then uploaded to code-sharing platforms such as GitLab, where developers soon downloaded and started using them.

Once executed, the compromised software set about installing data-stealing malware on the victims’ PCs. The malware’s main objective was harvesting sensitive data such as login credentials, authentication tokens, and other security information. This gave the threat actors full and unauthorized access to their targets’ accounts, allowing them to modify and steal digital assets.

Over 1,500 victims were affected, with the majority being located in Europe, India and Brazil. SecurityScorecard were keen to point out that many of the victims were software engineers, mostly working in cryptocurrency and blockchain technology. In particular, Lazarus targeted modified repositories which hosted Web3 development tools, authentication systems, and cryptocurrency software. These are all attractive targets for threat actors who are looking to make a quick buck through nefarious means and cause digital chaos to IT infrastructures.

How to Protect Yourself

Lazarus has committed numerous cyberattacks in the recent past, with Ophtek previously reporting on their attack on healthcare organizations in 2023. A powerful hacking group, Lazarus has the potential to create powerful and devastating malware. Accordingly, you need to make sure your IT defenses are secure against them and similar hacking groups.

Cybersecurity awareness, as ever, is key to protecting your digital assets, so make sure you follow these best security practices:

  • Verify Your Software Sources: always double-check where your software is coming from before you hit that download button. Stick to official developer websites and trusted repositories e.g. regularly updated GitHub projects. If a new tool appears out of nowhere or is uploaded by an unknown user, think twice before installing it. If in doubt, remember the golden advice: double check it with an IT professional.
  • Keep Your Security Software Updated: first of all, make sure you have antivirus and anti-malware software protecting your systems – these can be downloaded from companies such as AVG and Kaspersky. Secondly, as new cyber threats emerge every day, you need to keep your security software up to date to protect you from new malware. Regular updates will ensure you stay one step ahead of the threat actors.
  • Train Your Employees: Well-trained employees are your first line of defense against cyber threats. Regular cybersecurity training can help your staff recognize phishing attempts, avoid suspicious links, and practice safe browsing and downloading habits. By keeping your team trained and up to date, you can ensure employees stay aware of evolving threats, reducing the risk of security breaches.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 2 3 125