Researchers have warned about a fresh cyber-scam effort tricking people into downloading and running the Aurora informational software on their devices by utilizing false Windows updates.
Malwarebytes experts recently discovered a fraudulent advertising campaign using pop-under ads to distribute malware loaders.
Pop-under advertisements are a particular kind that loads beneath the browser and become visible only after the user shuts or moves the browser out of the way. These full-screen advertisements, typically placed on popular adult content websites, alert the consumer that their gadget needs to be updated. According to reports, this effort utilized more than a dozen websites.
Victims From Turkey
Those who fell for the ruse would download a ChromeUpdate.exe file, a malware loader named “Invalid Printer.”
According to the researchers, this specific unknown threat actor only employs an Invalid Printer as a “completely undetectable” (FUD) malware loader.
Invalid Printer will verify the graphic card to see if it is installed on a virtual machine or in a sandbox once it reaches the target endpoint. It will unpack and start a replica of the Aurora info stealer if it determines the device is an appropriate target.
According to its developers, Aurora is a piece of malware with “extensive capabilities” and weak antivirus detection. According to Malwarebytes, it took a few weeks for antivirus programs to identify Aurora installs as malicious. In addition, golang-written Aurora has been for sale on dark web forums for over a year. According to the experts, this particular attack infected 600 devices.
Since a Turkish user always submits a new sample to Virus Total, Jérôme Segura, director of threat intelligence at Malwarebytes, claims that most victims are Turks.
The study concluded that “in many cases, the file name appeared as it had just been generated by the compiler (i.e., build1_enc_s.exe)”.