In recent news, fake ads for popular software like VLC, 7zip, and OBS have been leading users to malware downloads. A notable incident involved a popular crypto influencer, NFT God, who fell victim to one of these scams. He lost all his digital assets and accounts, likely due to a Redline info stealer, a type of malware previously covered on this channel.
Ongoing Threats: Fake Websites
This threat is still active. Recently, I encountered a fake website posing as OBS Studio (obspro.net). The site offers downloads that appear legitimate but are actually malware. Clicking on any version of the software downloads a .rar file, which, once executed, installs malicious software instead of the promised program. Despite media coverage on malicious Google ads, these sites persist.
Understanding the Threat
Today, we'll explore some malicious info stealer samples distributed through these malvertising campaigns. This deep dive aims to help us understand and combat these threats. Let's start by examining the fake OBS Studio package. Opening the .rar file reveals an .exe file designed to bypass antivirus scanners. By analyzing its properties, we see it's 314 MB, which helps it avoid detection.
Analyzing the Malware
Many users upload suspicious files to platforms like VirusTotal, but large files often go unscanned due to size limitations. Attackers exploit this by padding malware files with empty space, tricking antivirus software into ignoring them. In our case, the padding increases the file size, making it seem harmless. By removing the padding in a hex editor, we reduced the file size to 15 MB, making it analyzable online.
Real-World Impacts
Initial detections of such malware are often low, but they increase over time as more users report it. For instance, a fake Notepad++ installer had minimal detections initially but increased later. Attackers only need a small window to target victims before detection rises and Google removes the malicious ads.
How Info Stealers Work
Info stealers read saved passwords, keylog entries, authentication tokens, and cookies from your system. With data from multiple sources, attackers can easily compromise your accounts. Guardio, our sponsor, highlighted this threat in an article, explaining how cybercriminals use Google's ad network for malware campaigns.
Protecting Yourself
To avoid these threats, always verify the URL after "https://" when downloading software. Ensure it matches the official site. Attackers often set up redirects from benign sites to malicious ones.
Conclusion
This is a serious threat that requires vigilance. Please like and share this video to spread awareness and subscribe to the PC Security Channel. Join our Discord server for discussions on using AI for threat detection.
Special Thanks
Thank you to Guardio for sponsoring this video. Guardio is a browser extension that scans for cyber threats and protects against malicious websites in real-time. It works on both Mac and PC, offering comprehensive protection.
No comments