- Joined
- Jun 28, 2020
- Messages
- 6,852
- Reaction score
- 739
- Points
- 212
- Awards
- 2
As part of attacks, hackers purchase advertising on search engines to distribute malware.
![[IMG]](https://www.securitylab.ru/upload/iblock/cc2/cc298028bf8df0fe34c5f24dbbdbb781.jpg)
Ransomware operators use malicious ads to distribute fake Microsoft Teams updates, infect systems with backdoors, and then install Cobalt Strike beacons to compromise the network.
Bleeping Computer got a warning from Microsoft, according to which the criminals used signed binaries and exploited the critical ZeroLogon vulnerability (CVE-2020-1472) to gain administrator access to the network using the SocGholish JavaScript framework.
In one attack, hackers acquired ads on a search engine, causing early search results for Microsoft Teams software to point to a domain under the criminals' control. Clicking on the link loaded a payload that ran a PowerShell script to download more malicious content. The malware also installed a legitimate copy of Microsoft Teams on the system so that victims would not suspect anything.
In most cases, the original payload was the Predator the Thief infostiller, which sends sensitive information such as credentials, browser data, and financial information to an attacker, Microsoft said. Other programs distributed in this way include the Bladabindi backdoor (NJRat) and the ZLoader info-stealer.
The malware also downloaded Cobalt Strike beacons, allowing an attacker to roam the network. In some attacks, the final stage was the launch of malware to encrypt files on computers on the network.
As a reminder, attackers have also begun to actively use a critical vulnerability (CVE-2020-14882) in Oracle WebLogic platforms to deploy Cobalt Strike beacons. Thus, hackers provide themselves with constant remote access to compromised devices.
__________________
Ransomware operators use malicious ads to distribute fake Microsoft Teams updates, infect systems with backdoors, and then install Cobalt Strike beacons to compromise the network.
Bleeping Computer got a warning from Microsoft, according to which the criminals used signed binaries and exploited the critical ZeroLogon vulnerability (CVE-2020-1472) to gain administrator access to the network using the SocGholish JavaScript framework.
In one attack, hackers acquired ads on a search engine, causing early search results for Microsoft Teams software to point to a domain under the criminals' control. Clicking on the link loaded a payload that ran a PowerShell script to download more malicious content. The malware also installed a legitimate copy of Microsoft Teams on the system so that victims would not suspect anything.
In most cases, the original payload was the Predator the Thief infostiller, which sends sensitive information such as credentials, browser data, and financial information to an attacker, Microsoft said. Other programs distributed in this way include the Bladabindi backdoor (NJRat) and the ZLoader info-stealer.
The malware also downloaded Cobalt Strike beacons, allowing an attacker to roam the network. In some attacks, the final stage was the launch of malware to encrypt files on computers on the network.
As a reminder, attackers have also begun to actively use a critical vulnerability (CVE-2020-14882) in Oracle WebLogic platforms to deploy Cobalt Strike beacons. Thus, hackers provide themselves with constant remote access to compromised devices.
__________________
