Researchers have detailed a threat actor, which they call Magnat, deploying a new backdoor and undocumented malicious Google Chrome extension in malware attacks that date back to 2018.
Magnat - a name that stems from the username in the build path of the campaign’s malware - has been using fake software installers as a lure to convince users to execute malware on their system, with filenames that include viber-25164.exe and wechat-35355.exe. Researchers with Cisco Talos, on Thursday, said they believe that the threat actor is stealing credentials with the intent of selling them on underground forums.
Since this threat delivers multiple different payloads, including information stealers, it can pose a significant threat to enterprises," said Tiago Pereira, technical lead of security research with Cisco Talos. "We have seen the credentials stolen by these stealers act as an initial infection point for larger attacks, including ransomware incidents.
Researchers assessed that the campaign uses malvertising - the use of malicious advertisements, which typically occurs through injecting malicious code into ads - as an initial means to reach users who might be interested in downloading popular software. Most victims targeted have been in Canada, the U.S. and Australia, with about 50 percent of infections in Canada.
“This type of threat can be very effective and requires that several layers of security controls are in place, such as, endpoint protection, network filtering and security awareness sessions,” Pereira said.
Backdoor and Malicious Chrome Extension
Once run, the fake installers execute a loader (typically either an .exe or .iso file) that pretends to be a software installer. In reality, the loader creates several files and deploys various commands that lead to the execution of three malware components. One of these is a malicious Google Chrome extension, which researchers called “MagnatExtension.”
The browser extension, which includes samples dating back to August 2018, is delivered via an executable (not from the Chrome Extension store) with the sole function of preparing the system and installing the extension. Once it has been installed, the extension shows up for victims as “Google’s Safe Browsing” and purports to be technology that examines URLs to look for unsafe websites. The extension code, which is obfuscated using function redirects, encrypted substitution arrays, function wrappers and string encoding, has several web browser information-stealing capabilities.
These include a keylogger that captures the keys typed by victims and a form grabber that retrieves credentials from web data forms. The extension also grabs screenshots of passwords and swipes browser cookies.
The campaign also utilizes a backdoor that researchers called “MagnatBackdoor.” This is an AutoIT-based installer that configures the targeted system for stealthy Microsoft Remote Desktop (RDP) access, adds a new user and sets a scheduled task to periodically ping the command-and-control (C2) server.
“As a result of this installer's actions there is a way for the attacker to access the system remotely via RDP, which is why we call it a backdoor,” said researchers.
The backdoor also creates an outbound SSH tunnel to a remote server, which allows attackers to forward the local RDP port to be used for remote access. Researchers said that the motives for the deployment of the RDP backdoor is unclear. However, “the most likely are the sale of RDP access, the use of RDP to work around online service security features based on IP address or other endpoint installed tools or the use of RDP for further exploitation on systems that appear interesting to the attacker,” said Pereira.
Continual Development
Researchers observed widely-known and documented commodity password stealers being deployed as part of the attack to collect system credentials.
The types of password stealers have varied over time, suggesting constant development by the attackers. Between 2018 to late 2019, the Azorult password stealer was initially deployed. However, the use of Azorult suddenly stopped in 2020, which researchers believe may have been a consequence of Chrome 80 cracking down on Azorult’s password stealing abilities. More recent attacks leveraged the Vidar Stealer, Gozi and the Redline Stealer, suggesting that attackers have been testing replacements for Azorult.
Researchers warn that attackers will continue to develop and improve this campaign with the purpose of stealing and selling credentials. The discovered malware families "have been subject to constant development and improvement by their authors - this is likely not the last we hear of them," said Pereira.