At a glance.
- LOBSHOT, a cryptowallet stealer abusing Google Ads.
- Coronation phishbait.
- Known CCTV vulnerability is currently being exploited.
- T-Mobile discloses small data breach.
- New Magecart exploits.
- Europol announces major dark web souk takedown.
- Preliminary lessons from cyber operations during Russia's war.
LOBSHOT, a cryptowallet stealer abusing Google Ads.
Elastic Security Labs reports a new trend of Google Ad based malware that uses “an elaborate scheme of fake websites through Google Ads and embedding backdoors in what appears to users as legitimate installers.” Elastic Security calls this malware strain “LOBSHOT,” and describes it as having hidden virtual network computing (hVNC) capability. That allows LOBSHOT to remain undetected by the host machine. Researchers attribute this campaign to the Russian cybercrime group TA505, “a well-known cybercrime group associated with Dridex, Locky, and Necurs campaigns.” LOBSHOT is used to steal financial data, specifically going after chrome extensions associated with cryptowallets. It also seems to have the ability to target Edge and Firefox wallets.
As SecurityWeek reported, “the malware allows attackers to bypass fraud detection engines and provides them with stealthy, direct access to the infected machines.” Elastic Security explains that it does this by performing a Windows Defender anti-emulation check. This allows the malware to verify “if the string [matches] HAL9TH and if the username matches JohnDoe. These are hard-coded values within the emulation layer of Defender; if they are present, the malware immediately stops running.” The malware comes with a built-in GUI which allows attackers to execute specific commands quickly such as: modifying sounds settings, starting browsers, and using the infected machine’s clipboard (presumably to obtain or modify copied wallet addresses.)