Cybercriminals are once again using Google Ads to distribute malware, and this time it's the LOBSHOT financial trojan that's raising alarms. The malware is being spread via malvertising, which involves planting malicious ads on legitimate websites. The malware is hidden within seemingly harmless installers that contain backdoors, which are downloaded by unsuspecting users. The malware is distributed through a network of bogus sites and Google Ads.
LOBSHOT uses dynamic import resolution to evade detection, making it difficult for security solutions to detect the malware during the analysis phase. Once executed, the malware performs a Windows Defender anti-emulation check to avoid detection by security solutions. LOBSHOT focuses on stealing information and targeting over 50 Chrome, Edge, and Firefox extensions related to cryptocurrency wallets. The malware creates a custom structure based on data harvested from the machine and initiates a network connection. LOBSHOT then creates a new registry key for persistence and begins its information-stealing routine.
The malware uses a module called hVNC to steal information. This module creates a hidden desktop and assigns it to the malware, allowing the attacker to control the machine without being detected. Once in control, the attacker can execute a variety of commands, such as modifying sound settings, accessing the clipboard, starting new browsers, and activating the Start menu.
TA505, a financially motivated threat actor, has been using LOBSHOT in attacks since at least 2022, with over 500 unique malware samples observed since July last year. Businesses should consider implementing multi-factor authentication and network segmentation to reduce the risk of such attacks.
Don't let your organization fall victim to cybercriminals. Armoryze is a trusted cybersecurity provider that can help protect your business from devastating cyberattacks. Armoryze offers the expertise and tools you need to safeguard your organization's valuable assets and reputation. Contact us today to learn more about our managed detection and response service and how we can help secure your business.