Where data is home
Where Data is Home

Phishing Website Unveiled: Shapeshifting Malware Steals Information

Common Scams
By Editor
Network Breach Analysis
0 35

The discovery of a phishing website utilizing shapeshifting tactics to illicitly obtain information has raised concerns in the cybersecurity community. Cyble Research and Intelligence Labs (CRIL) recently uncovered a website that initially presented itself as a chat application, but later impersonated the official TeamViewer website. Users who clicked on the download button unknowingly downloaded malicious files, which were samples of the Aurora Stealer malware, disguised as messenger.exe and teamviewer.exe. To avoid detection by antivirus software, these files were padded with additional zeroes to increase their size. The malware, once installed, utilized Windows Management Instrumentation (WMI) commands to collect system information and targeted data from various sources, including browsers, crypto wallets, FTP clients, and messaging applications like Telegram and Discord. The stolen data was then prepared for exfiltration through JSON formatting, GZIP compression, and Base64 encoding. To mitigate such threats, it is advisable to implement multi-factor authentication, strong passwords, regular software updates, and employee education on phishing and unsafe URLs. Additionally, blocking potentially malicious URLs and monitoring network beacons can enhance protection against data exfiltration.

Key Takeaways

  • A phishing website called hxxps[:]/messenger-download[.]top was discovered, which pretended to be a chat application.
  • The same phishing site also impersonated the official TeamViewer website.
  • Clicking the Download button on the phishing website resulted in the download of malicious files named messenger.exe and teamviewer.exe, which were actually Aurora Stealer samples.
  • The malware used various tactics such as system information gathering, browser-related data collection, crypto wallet data theft, application-specific data theft, file and screenshot collection, and data exfiltration preparation.

Phishing Website Discovery

The discovery of a phishing website, hxxps[:]/messenger-download[.]top, which pretended to be a chat application, was made by Cyble Research and Intelligence Labs (CRIL) on January 16th, 2023. This phishing website aimed to deceive potential targets by impersonating a legitimate chat application. The impact assessment of such a discovery is crucial in order to understand the potential risks and consequences associated with this phishing campaign. By analyzing the tactics employed by the attackers, organizations can assess the potential damage caused by the theft of sensitive information. It is important for organizations to stay vigilant and implement robust security measures to protect against such phishing attacks, as they can have severe consequences for both individuals and businesses.

Impersonation of TeamViewer

Impersonating the official TeamViewer website, the discovered phishing site successfully deceived unsuspecting victims. The cybercriminals behind this attack used sophisticated techniques to mimic the appearance and functionality of the legitimate TeamViewer site. By imitating a widely recognized and trusted platform, they increased the likelihood of users falling into their trap. This impersonation tactic is concerning as it can lead to severe consequences for individuals and organizations alike.

Detection techniques:

  1. Security researchers and intelligence labs play a crucial role in identifying and exposing such phishing websites.
  2. Regular monitoring and analysis of suspicious URLs can help detect and mitigate these threats.
  3. Implementing robust security measures, such as advanced anti-phishing technologies and email filters, can also aid in identifying and blocking such impersonation attempts.

Impact on victims:

  1. Users who unknowingly interacted with the malicious website may have unknowingly exposed their personal information and login credentials.
  2. This impersonation attack may have resulted in unauthorized access to sensitive data, compromising individual privacy and potentially leading to financial losses.
  3. Organizations may suffer reputational damage and financial implications due to compromised customer data and potential legal consequences.

Malicious File Downloads

Detected on January 16th, 2023, the discovered phishing site prompted users to download files named messenger.exe and teamviewer.exe, which were actually samples of the Aurora Stealer. These files were cleverly padded with extra zeroes, increasing their size to approximately 260MB. This tactic aimed to evade detection by antivirus software. By increasing the file size, hackers exploit the limitations of antivirus scanning mechanisms, as larger files require more time and resources to scan thoroughly. Moreover, hackers frequently employ techniques to obfuscate their malware, making it difficult for antivirus software to recognize and block their malicious activities. These techniques may include using code obfuscation, encryption, or polymorphic malware that constantly changes its appearance. By constantly adapting and evolving their tactics, hackers can avoid detection and continue to steal sensitive information undetected.

Impact of large file size Techniques to avoid antivirus detection
Slows down scanning process Code obfuscation
Increases resource usage Encryption
Evades detection Polymorphic malware

Data Collection Methods

One method employed by hackers includes gathering system and browser-related information as well as extracting data from specific applications and directories. The malware used Windows Management Instrumentation (WMI) commands to collect system information such as the operating system’s name, graphics card’s name, and processor’s name. It also searched for specific browser-related files saved in SQLite, such as Cookies, History, Login Data, and Web Data, by querying the directories of installed browsers on the victim’s computer. Additionally, the stealer targeted over 100 crypto wallet browser extensions and extracted information related to crypto wallets by reading files from specific directories. The malware also searched for FTP client software, Telegram, Discord, and Steam applications to steal important information from their config and session data files. These data collection methods enable hackers to gather sensitive information and prepare it for exfiltration. To protect against data exfiltration, it is important to implement measures such as monitoring network beacons and blocking URLs that could be used for malware propagation.

Defense Recommendations

To enhance defense against malicious activities, it is recommended to implement measures such as multi-factor authentication, strong password usage, automatic software updates, employee education on phishing and unsafe URLs, and the blocking of URLs that could facilitate malware propagation. These measures can significantly strengthen an organization’s security posture and protect sensitive information from being compromised. Implementing multi-factor authentication adds an extra layer of security by requiring users to provide multiple forms of identification before accessing sensitive systems or data. Additionally, educating employees about safe browsing practices can help them recognize and avoid phishing attempts, malicious websites, and suspicious email attachments. Regularly updating software ensures that known vulnerabilities are patched, reducing the risk of exploitation. Blocking URLs that are commonly associated with malware distribution, such as Torrent/Warez sites, can prevent employees from inadvertently accessing malicious content.

Frequently Asked Questions

How did Cyble Research and Intelligence Labs (CRIL) discover the phishing website?

Cyble Research and Intelligence Labs (CRIL) discovered the phishing website through their own discovery process and techniques. The specific methods used by CRIL to uncover the phishing website were not provided in the given information.

What were the specific tactics used by the phishing website to impersonate the official TeamViewer website?

The phishing website that impersonated the official TeamViewer website used tactics such as creating a similar domain name, replicating the website’s design and layout, and using deceptive content and visuals to trick users into believing it was legitimate.

How were the malicious files disguised as legitimate applications?

The malicious files, messenger.exe and teamviewer.exe, were disguised as legitimate applications by using the names of popular chat applications. This tactic aimed to deceive users into thinking they were downloading legitimate software.

What other types of browser-related data did the malware search for and collect?

The malware searched for and collected various browser-related data, including saved Cookies, History, Login Data, and Web Data. It also queried the directories of installed browsers on the victim’s computer to gather this information.

Are there any additional recommendations for defense against this type of malware?

Additional recommendations for defense against this type of malware include implementing enhanced email filtering to block phishing attempts, enabling multi-factor authentication for added security, and regularly updating software to patch vulnerabilities. These measures can help mitigate the risk of malware attacks.

Continue Reading
Editor 1200 posts 0 comments
Das könnte dir auch gefallen Mehr vom Autor
Hinterlasse eine Antwort

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More