Security researchers are now reporting a new and dangerous malware that can, among other things, steal the passwords of infected systems. Damage has been detected in a number of different countries, and Norway is among the countries affected.
A new malware campaign called Magnat was recently named and described by the security company Cisco Talos.
Spread through ads and legitimate software names
According to researchers at Cisco Talos, malware is spread through software downloads that claim to be legitimate and popular software. The method of distribution is mainly malicious ads – the so-called “malicious ads” in English.
We believe with a moderate degree of certainty that online advertisements are used to reach potential victims who are looking for software to install on their systems. The company adds that the combination of ads and fake software downloads is particularly twisted because users who arrived with ads are already willing to run an install on their systems.
Based on the names of some exe files scattered in the campaign, the malware hides behind popular messaging apps like Viber and WeChat and popular PC games like Battlefield.
There are three different types of malware spread throughout the campaign. One is designed to steal passwords, the other is a backdoor that allows hackers to gain hidden remote access to the system via RDP (Remote Access Protocol), and the third is a malicious browser extension to Chrome.
Norwegian victims
The Chrome extension has similarities to banking Trojans and steals information from the browser in several different ways, including through “keylogging” – which means recording user keystrokes – and taking screenshots on the computer. It can also steal cookies, such as “cookies”.
The distribution campaign was supposed to have already started in 2018, and most of the targets are in Canada, USA and Australia. However, damage has also been detected in a number of European countries, and Cisco specifically mentions Norway among these countries – it is not clear how many Norwegian casualties there are. The other countries are Italy and Spain.
-Based on the use of password thieves and a Chrome extension similar to Trojan Bank, we believe the attackers’ goal is to obtain user data, possibly for sale or further use. The motive for installing the RDP tailgate is uncertain. Cisco most likely writes that it is selling RDP access, using RDP to get around security functions based on IP addresses or using RDP for further use on systems that seem interesting to an attacker.
More details about the Magnat campaign can be found at Cisco Talos Technical Review.
“Web specialist. Lifelong zombie maven. Coffee ninja. Hipster-friendly analyst.”