Introduction
The crimeware landscape is diverse. Cybercriminals try to capitalize on their victims in every possible way by distributing various types of malware designed for different platforms. In recent months, we have written private reports on a wide range of topics, such as new cross-platform ransomware, macOS stealers and malware distribution campaigns. In this article, we share excerpts from our reports on the FakeSG campaign, the Akira ransomware and the AMOS stealer.
To learn more about our crimeware reporting service, you can contact us at [email protected].
FakeSG
“FakeSG” is the name we gave to a new NetSupport RAT distribution campaign. The moniker was chosen as it mimics the notorious SocGholish distribution campaign. Legitimate websites are getting infected, displaying a notification that the user’s browser needs an update. For an example, look at the image below. Clicking the notification downloads a malicious file to the device. Over the course of time, the attackers have changed the download URL to stay undetected longer. However, for some obscure reason, the path has remained the same (/cdn/wds.min.php).
Landing page example
The download is a JS file that contains obfuscated code. When executed, it loads another script from a remote location and sets a cookie. Finally, it displays a prompt to update the browser and starts automatically downloading another script. This time, it is a batch script ..
Support the originator by clicking the read the rest link below.
