New Malvertising Campaign Targets Windows Geeks

images provided by pixabay

This post is also available in: עברית (Hebrew)

A new malware campaign targeting visitors of the “Windows Report” portal was uncovered by security experts at the cyber firm Malwarebytes. In this campaign, a threat actor copied a legitimate Windows news website (without actually compromising the website itself) to trick users into downloading malicious software.

Malwarebytes said in a blog post that this type of website is often visited by ‘geeks’ and system administrators to read the latest computer reviews, learn some tips, and download software utilities.

According to Cybernews, “malvertising” is a type of cyberattack when threat actors embed malicious code in ads to inject the user’s device with malware. Potential consequences for the victims who either click on or even view the link can range from slower performance to the loss of data or control over the device.

This campaign used Google ads to falsely advertise CPU-Z, a popular Windows tool for troubleshooting. The payload then included an installer with a malicious PowerShell script and a loader called FakeBat.

The malicious actors behind the campaign evaded detection by using cloaking techniques- Malwarebytes explains that if someone who’s not an intended victim clicks on the ad, they’ll see a standard blog, but if a victim clicks on the link, they would be redirected to another domain mimicking the Windows Report website, which uses content from the legitimate website and looks almost identical (apart from having a different URL).

Experts stated that it is possible the threat actor chose to create a decoy site looking like Windows Report because many software utilities are often downloaded from such portals instead of their official web page.

It seems that this incident is part of a larger malvertising campaign that also targets other utility tools such as Notepad++, Citrix, and VNC Viewer. Furthermore, malicious ads can even appear on well-known and trusted websites, like they were previously spotted on publications like The New York Times and The Atlantic.