One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8594498 |
| Date de publication | 2024-10-08 21:00:37 (vue: 2024-10-08 21:18:19) |
| Titre | La campagne Google Ads Google cible le logiciel utilitaire Large scale Google Ads campaign targets utility software |
| Texte | ## Snapshot Researchers from Malwarebytes have identified a malvertising campaign impersonating utility software like Slack, Notion, Calendly, Odoo, and Basecamp, among others. The campaign targets both Windows and Mac users, with Windows payloads hosted on various GitHub accounts and Mac payloads originating from a domain via PHP scripts. ## Description The malicious ads are sophisticated, appearing as top search results with official branding and descriptions, but upon closer inspection, they are linked to unverified advertisers. These ads lead to a redirection chain that includes click trackers, cloaking, and decoy sites, ultimately tricking users into downloading malware. Windows users are likely targeted with [Rhadamanthys](https://security.microsoft.com/intel-explorer/articles/c9ea8588) infostealer, while Mac users face an infostealer branched from the AMOS family, which uploads stolen information to a remote server in Russia. Despite reports to Google and the banning of related advertisers, new malicious ads continue to surface, indicating the campaign\'s persistence and breadth. ## Microsoft Analysis Malvertising has made OSINT headlines in recent months with surging incident numbers and threat actors employing increasingly sophisticated techniques to distribute malware and compromise systems. Microsoft has been tracking trends across recent malvertising incidents and observations from across the security community. These trends include payload diversification, MSIX malware emergence, and improved cloacking and evasion. Read more about [recent OSINT trends in malvertising](https://security.microsoft.com/intel-explorer/articles/003295ff) and the broader trend of [financially motivated threat actors misusing App Installer](https://security.microsoft.com/intel-explorer/articles/74368091). Cybercriminal groups are likely behind the majority of malvertising activity, judging from a review of open-source reporting. In the underground economy, criminal forums and marketplaces facilitate the exchange of services and tools tailored for malvertising. This ecosystem renders such tactics accessible and cost-effective for a wide array of cybercriminals. Active threat actors in this domain include the actors Microsoft tracks as [Storm-0569](https://security.microsoft.com/threatanalytics3/6d557f37-0952-4a05-bdc5-d40d6742fbaf/analystreport) and [Storm-1113](https://security.microsoft.com/intel-profiles/4847b8382f24f3cd10d4cf3acdda5c59d5c48df64b042590436be6e92e1b232f). ## Recommendations Organizations can mitigate some risks from malvertising by enabling Network Protection and [potentially unwanted program (PUA) application](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide). By using the principle of least privilege and building credential hygiene, administrators can limit the destructive impact of malvertising attacks, even if the threat actors gain initial access to a system. Microsoft recommends the following mitigations to reduce the impact of this threat. - Encourage users to use Microsoft Edge and other web browsers that support [Microsoft Defender SmartScreen](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. - Turn on [network protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide&ocid=magicti_ta_learndoc) to block connections to malicious domains and IP addresses. - [Restrict privileged domain accounts and local accounts with administrator privileges](https://www.microsoft.com/en-us/security/blog/2022/10/26/how-to-prevent-lateral-movement-attacks-using-microsoft-365-defender/?ocid=magicti_ta_blog). Randomize Local Administrator passwords with a tool like |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 0569 0952 1113 2024 2024** 2147127827&ocid=magicti 365 365/business 365/security/defender 496d 4a05 aad about access accessed accessible accounts across action active activity actors ad3c addresses administrative administrator administrators ads advanced advertisers against age alert alerts all always among amos analysis antivirus any app appearing application applications apps apps/proxy are array artifacts attack attacker attackers attacks authentication automated avoid banning basecamp based bdc5 been behind block blocks blog both branched branding breach breaches breadth broader browsers building but c6a795a33c27/analystreport calendly campaign campaignimpersonating can chain changes click cloacking cloaking closer cloud com/blog/cybercrime/2024/10/large com/en com/intel com/threatanalytics3/05658b6c com/threatanalytics3/6d557f37 common community components compromise conditional connecting connections contain content continue control copyright cost cover credential criminal criterion customers cybercriminal cybercriminals d40d6742fbaf/analystreport dc62 decoy defend defender defender/ delivered description descriptions despite destructive detect detected detection detects devices distribute distribution diversification doesn domain domains downloading economy ecosystem edge edr effective emergence employing enable enabling encourage ency encyclopedia endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/detect endpoint/edr endpoint/enable endpoint/prevent enforce equivalent evasion even evolving exchange excluded executable execution exploits explorer/articles/003295ff explorer/articles/74368091 explorer/articles/c9ea8588 face facilitate factor family features files financially first following forums from full gain github google groups has have headlines help host hosted how https://learn https://security https://www hygiene identified identifies immediate impact implement improved incident incidents include includes including increasingly indicating information infostealer initial inspection installation installer intro investigation investigations judging laps large lateral lead learndoc learndoc#block learndoc#use learning least let level like likely limit linked list local locations mac machine made maintain majority malicious malvertising malware malware: malwarebytes marketplaces measures meet mfa microsoft misusing mitigate mitigations mode months more most motivated movement msix mtb&threatid= multi name=trojan:macos/multiverze name=trojan:win32/rhadamanthys network new non notion numbers obfuscated observations ocid=magicti odoo official open organizations originating osint other others overview part passive password passwords payload payloads permission persistence phishing php post potentially practice premium/m365bp prevalence prevent principle privilege privileged privileges product profiles/4847b8382f24f3cd10d4cf3acdda5c59d5c48df64b042590436be6e92e1b232f program prohibited protect protection protections pua randomize ransomware rapidly rats read recent recommendations recommends redirection reduce reducing reduction refer reference references related remediate remediation remote remove renders reporting reports reproduction require researchers reserved resolve response restrict restricting results review rhadamanthys rights risks robust rules run running russia scale scam scenes scripts search security server server/identity/laps/laps service services settings shared sight significantly site sites slack smartscreen snapshot software solution some sophisticated source stolen stopping storm strictly strong such support surface surging system systems tactics tailored take tamper targeted targets techniques techniques: thereof these threat tool tools top trackers tracking tracks trend trends tricking trojan:macos/multiverze trojan:win32/rhadamanthys trusted turn ultimately underground unknown unless unmanaged unverified unwanted uploads upon us/defender us/deployedge/microsoft us/microsoft us/security/blog/2022/10/26/how us/wdsi/threats/malware us/windows use users us |
| Tags | Ransomware Malware Tool Threat Prediction Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.