verify sources Archives

A new malware attack has been discovered which uses the SnipBot malware to dig deep into the victim’s network and harvest data.

SnipBot is a variant of the RomCom malware, which has previously been used for data harvesting and financially motivated attacks such as the Cuba ransomware attack. SnipBot’s malicious campaign has been widespread, with victims identified in multiple industries including legal, agriculture, and IT sectors. SnipBot performs what is referred to as a pivot, a process by which malware moves between compromised systems on the same network to access as many workstations as possible. This maximizes the amount of data SnipBot can steal and marks it out as a major threat.

SnipBot Unleashed

With 3.4 billion phishing emails sent daily, it’s clear that phishing attacks are incredibly popular with threat actors. And this is the exact approach adopted by SnipBot.

The SnipBot malware attack starts with phishing emails which trick recipients into downloading fake files disguised as legitimate PDFs. When the victim clicks on a link contained within the PDF, a malicious downloader is activated. As these downloaders are signed using real security certificates, they avoid detection by security software.

The malware can then inject itself into core system processes such as explorer.exe, and it can maintain this presence even after a reboot. Once inside the victim’s system, SnipBot sets about collecting sensitive data from popular folders, like Documents and OneDrive. This harvested data is then sent back to the attacker via a remote server.

Palo Alto Networks researchers, who discovered the SnipBot campaign, are unsure as to the true objectives of SnipBot. At present, there appears to be no financial motive present in the attack, so it has been labelled purely as an espionage threat.

How Can You Stay Safe from SnipBot?

Luckily, phishing attacks such as SnipBot can be easily managed. By following these best practices, you’ll not only prevent malware being executed, but also avoid it in the first place:

Verify the Sender: it’s paramount that you always check and double check the sender’s email address, especially when the email is laced with a sense of urgency to perform an action. Phishing emails will often use addresses which look genuine but contain slight errors e.g. admin@0phtek.com where the letter O has been replaced with a zero. If you’re unsure, you can always Google the company to find their official website and verify the domain used.
Don’t Click on Suspicious Links: instead of clicking on suspicious links, the safest option to take is to hover over any links to preview the URL. Embedded links can easily be faked to appear genuine, but contain a link to a different, malicious website. Again, you can Google websites directly to navigate your way to any sections referenced in the email. This prevents you from accessing a malicious website loaded full of malware.
Contact the Sender: legitimate businesses and clients will never request sensitive information – such as login credentials – over emails, so these requests should always ring alarm bells. If you do receive such a request, the best option to take is contact the sender via telephone to confirm whether the email is genuine.
Use Spam Filters: one of the best ways to stop phishing emails reaching your inbox is to activate your emails spam filters. These use vast databases to identify potential threats and redirect them to your spam folder. You can also use your spam filters to block repeat offenders, enhancing the safety of your inbox.

For more ways to secure and optimize your business technology, contact your local IT profe ssionals.

MadMXShell Delivers Malware via Google Ads

adblocker, google ads, MadMXShell, malware, Ophtek, typosquatting, verify sources, windows backdoorad blocker, Google ads, MadMXShell, malware, Ophtek, typosquatting, verify sources, windows backdoorOphtek, LLC

May 2024

Thanks to the presence of a previously unknown Windows backdoor, the MadMXShell malware has created digital chaos through the use of Google Ads

Google Ads are a common sight for anyone stepping foot online, and they’re a sure-fire way to guarantee clicks for those behind the advertising campaigns. Naturally, this makes of great interest to threat actors, as not only is malvertising a useful tool for hacking, but it’s also an easy way to lead people to malicious websites. MadMXShell appears to be a complex piece of malware, comprising several attack methods and tools, so it’s crucial that your organization is on guard against it.

How MadMXShell Serves Up its Malware

The threat actor responsible for MadMXShell is yet to be identified, but the effort invested in the attack demonstrates they’re highly skilled. Having created several domains in the IP scanner niche – with similar sounding names to official sites (a technique known as typosquatting) – the threat actor took advantage of the Google Ads algorithm to push them to the top of the search engine results. This was achieved by targeting keywords – words/phrases entered into search engines by those searching for specific content – and ensuring that their click rate was maximized.

Once lured to these malicious websites, it appears that visitors are encouraged to download IP scanner software. But, as you’ve already worked out, there is no IP scanner software to download. Instead, MadMXShell is downloaded and executed. With its strategy made up of a multi-targeted attack, MadMXShell sets to work harvesting data from infected systems. It does this by communicating with command-and-control servers and evades detection by injecting altered code into seemingly legitimate processes.

Curiously, as the entire campaign centers around IP scanning software, it would appear the main target of MadMxShell are IT professionals. Despite being a tough crowd to deceive, MadMXShell has already managed to gain plenty of victims, and underlines the ease with which even professionals can be taken in by malware.

Keeping the Threat of MadMxShell at Bay

It may sound as though MadMxShell is impossible to protect yourself against, especially if IT experts are struggling to defend against its threat. However, by taking the time to consider the validity of content you see online, you can significantly reduce the risk of falling victim to MadMxShell or similar attacks. The most important factors to consider are:

Always Verify Sources: before clicking on an online advert, always verify its source. If you’re unfamiliar with a website name then try performing a Google search against it, as this may flag it up as a malicious website. Remember, many attacks will use typosquatting, so it’s important that URLs are double checked e.g. usa.visa.com is official, but usa.v1sa.com is an attempt to fake the official website.
If It’s Too Good to Be True: online adverts which are offering unlikely and unrealistic rewards should always be scrutinized closely. While they may not necessarily link you to malicious websites, it’s more than likely that some form of scam/deception is the most likely end point.

Use an Adblocker: pop-up adverts are both annoying and a potential security risk, so why not minimize these risks by installing an adblocker into your browser? Easy to operate, and available for free, these browser add-ons allow you to prevent pop-up adverts from being displayed on your screen. Popular adblockers include Adblock Plus, Privacy Badger, and Ghostery.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

Category Archives: verify sources