A new malvertising campaign has exploited the legitimate Windows news portal to disseminate the RedLine Stealer. These websites have become unsuspecting vectors for cyber threats, typically visited by software enthusiasts and system administrators seeking the latest computer reviews and software utilities.
Based on reports, the malicious threat actors use the Windows news portal to promote a malicious installer, posing as the popular processor tool CPU-Z.
In addition, the attackers use an obfuscation technique that redirects victims to a seemingly harmless blog page. This blog page acts as a download domain that contains a digitally signed MSIX installer designed to evade detection.
Once the users click the download button for the malicious installer, they unknowingly initiate the execution process for a malicious PowerShell script called FakeBat. This process will then result in downloading the notorious RedLine Stealer malware.
This new malvertising that deploys the RedLine Stealer malware could be a part of a more widespread cybercriminal operation.
The infrastructure, domain names and cloaking templates of this new RedLine Stealer malware operation suggest that this incident is part of a broader malvertising campaign.
Researchers suspect that threat actors are targeting other utilities, including Notepad++, Citrix, and VNC Viewer, expanding the extent and severity of the threat landscape.
Unfortunately, this issue is not an isolated incident since the cybersecurity community recently observed an uptick of fake browser update campaigns designed to propagate Cobalt Strike, loaders, and stealers.
Separate research identified four distinct threat clusters using fake browser updates to distribute malware. One of these threats, the ClearFake campaign, employed the watering hole technique, injecting malicious JavaScript code into infected WordPress sites, thereby deceiving unsuspecting visitors into downloading malware payloads.
The impersonation of popular software has been a favourable vector for cybercriminals who want to deceive users into installing malware. Thus, organisations should stay vigilant by verifying software file checksums using the SHA256 hash sum posted on the vendor’s official website.
Companies should leverage available Indicators of Compromise (IoCs), such as malicious domains and payload URLs associated with the threat. These IoCs can provide valuable insights into the attack pattern, enabling proactive defence measures.
