Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
Google Chrome’s New Feature Alerts Users About Auto-Removal of Malicious Extensions
Google has announced plans to add a new feature in the upcoming version of its Chrome web browser to alert users when an extension they have installed has been removed from the Chrome Web Store.
The feature, set for release alongside Chrome 117, allows users to be notified when an add-on has been unpublished by a developer, taken down for violating Chrome Web Store policy, or marked as malware. Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
:
The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, which helps you to quantify risk accurately:
In this case, the threat actor purchased an ad falsely claiming to be the PuTTY homepage, appearing at the top of search results before the official site.
While the unrelated domain raised suspicions here, many advertisements closely mimic trusted brands, making them effective lures for distributing stealthy malware loaders that enable further exploitation.
Malicious ad (Source – Malwarebytes)
Potential victims from the United States are redirected to a fake putty.org, while others are shown a legitimate page that bypasses security checks.
This redirection chain is multi-staged and possibly probes for proxies as well as logs victims’ IPs before serving a final malware payload.
Acting like the PuTTY program, this dropper is written in Go, which provides the attackers with an entry point into compromised systems for future exploitation.
The deceptions of such a campaign and the complexity of its payload delivery scheme reveal the extent to which threat actors can spread malware without being noticed.
Fake PuTTY site (Source – Malwarebytes)
This is done to show that, the victim did follow the deceptive ad campaign and downloaded it from a fake PuTTY site.
In case IP matches, it fetches a follow-on payload from the CnC server; as a result, it further propagates the multi-stage infection chain.
As such, this process of IP verification helps them distinguish potential researchers or honeypots who may have been lured into participating in this campaign.
This keeps additional payloads from being sent to any other system violated through their fraudulent advertisement campaigns.
Rhadamanthys IP (Source – Malwarebytes)
The Go-based dropper uses SSH protocol in secret to pull the following-stage payload, probably Rhadamanthys malware, from some command and control server, reads the report.
This multiple-component infection chain, which offers malware deployment services ranging from malicious ads to loaders and final payloads, demonstrates a sophisticated malvertising infrastructure controlled by the same bad actor.
Although this particular campaign was reported to Google, it shows how threat actors are always changing their techniques to evade security controls.
To counter such stealthy malware distribution schemes, proactive defense mechanisms like strong malware detection and ad-blocking are crucial.
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.