Indicateurs de compromission (IOCs) identifiés
Rapports de compromission identifiés (regroupement d’IoCs)
HIGHLIGHT OF THE MONTH
In the last couple of months, the use of Google search banner ads by various threat actors to distribute malware (RedLine Stealer, Gozi/Ursnif, Vidar, Rhadamanthys stealer, IcedID, Raccoon Stealer among others), has reached remarkable proportions. This intrusion technique called Malvertising consisting in leaning on a legitimate advertising network, in this case Google Ads, is not new.Indeed, malvertising capitalizes on the efforts naturally deployed by the latter to attract Internet users to their ads in order to spread a malicious load quickly and on a large audience.
In this matter, the method used by Google Ads is to make the ads appear at the top of the panel of results following a search, distinguishing them only a little from the natural results (not sponsored), thus taking advantage of the reflex, encouraged in the users of the platform, to engage on the first links proposed. The cybercriminals just have to take advantage of the mechanism by proposing, through ads placed at the top of the page, the download of popular freeware (VLC, Blender, Firefox, Winrar, LibreOffice, TradingView, CCleaner…) while mobilizing, at the same time, techniques found in phishing campaigns (typosquatting, imitation of legitimate site…).By its nature, the technique used by these campaigns is more oriented towards individuals than companies, with the theft of credentials as a generally observed objective.
Its increase and its focus on Google Ads raises questions about the automatic detection capabilities deployed by Google in order to clean up its advertisements against malware pushing their evasion capabilities even further. Therefore, users should remain cautious about this type of ads.
DEFINITION OF THE MONTH
HTML Smuggling (not to be confused with HTTP Smuggling) is a circumvention technique that allows a target to download a malicious file using an HTML file. This technique is currently used by experienced attackers to bypass the defense systems of targeted networks.
With this approach, the attacker avoids the need to send a malicious file to the victim that could be analyzed and blocked by intermediate devices, such as a web proxy or an email gateway. Here, the victim is the one who takes the initiative: When viewing the HTML page, the browser interprets the code and the malicious file is reconstructed and saved locally, thus bypassing the firewall.
This technique is regularly combined with phishing or spear-phishing attempts, where the threat actors invite the victim to visit a website to view an html page or download an attached HTML file. This approach is notably implemented in the Qakbot and IceID malware infection chain.
ABOUT THE CYBER THREATS BAROMETER
Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by Gatewatcher CTI , our Cyber Threat Intelligence platform.
Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.