Fake installers for famous applications and games, including Viber, NoxPlayer, WeChat, and Battlefield, have been used by a new threat actor to deceive users into downloading a new backdoor and an undocumented dangerous Google Chrome extension to steal credentials and data from compromised computers while also maintaining persistent remote access.
According to Cisco Talos, the malware payloads were ascribed to an unknown actor using the pseudonym “magnat,” who noted that the developers of these two families had constantly been developing and improving them. The cyberattacks are thought to have started in late 2018, with sporadic activity seen towards the end of 2019 and early 2020, followed by new increases since April 2021. The targeted users are mainly from Canada, Australia, Spain, Italy, Norway, and the United States.
The use of malvertising to target people searching for popular software on search engines provides links to download bogus installers that drop a password stealer named RedLine Stealer is a significant component of the incursions. RedLine Stealer is a Chrome extension known as “MagnatExtension” that records keystrokes and screenshots, as well as an AutoIt-based backdoor that grants remote access to the system.
The command-and-control (C2) communications of the extension are also noteworthy. Although the C2 address is hard-coded, the current C2 can update it with a list of other C2 domains. In the case of a failure, it falls back to a backup technique of acquiring a new C2 address by searching Twitter for hashtags like “#aquamamba2019” or “#ololo2019.”
The domain name is then created by concatenating the initial letters of each word in the accompanying tweet text, resulting in “Squishy turbulent areas terminate active round engines after dank years. Industrial creepy units” becomes “stataready[.]icu.” When an active C2 server is found, the vacuumed data is exfiltrated in the body of an HTTP POST request as an encrypted JSON string, with the encryption key hard-coded in the decryption function.
According to Cisco Talos researcher Tiago Pereira, the attacker intends to gather user credentials, perhaps for sale or for personal use in future exploitation, based on the employment of password stealers and a Chrome extension that looks like a banking trojan. The reason for installing an RDP backdoor is unknown. The selling of RDP access, the use of RDP to go beyond online service security mechanisms based on IP address or other endpoint installed tools, or the use of RDP for further exploitation on systems that look attractive to the attacker are the most likely scenarios.