HQ/EMEAFind out how we can help your business
Threat actors are generating fake websites that contain trojanised software installers to deceive unknowing users into downloading the Fruity malware. The primary objective of the threat operators is to trick users into installing the downloader so they can launch the remote trojan tool, Remcos RAT. The researchers said the fake website offers various tools for tuning CPUs, graphic cards, and BIOS.
However, the researchers stated that these products from the fake website are only decoys, so the threat actors could include the trojan and its components to download the alleged software solutions.
On the other hand, the researchers have yet to confirm the exact access vector utilised by the group in this campaign, but it could be from phishing campaigns or drive-by downloads. Users receiving such notifications could land on the fake website and be prompted to download a ZIP installer package.
The Fruity malware infects its target stealthily.
The investigation showed that the installer in the fake website also dropped the Fruity malware. The malware launches an MP3 file to load an image and initiate the multi-stage infection. Threat analysts explained that the image file utilises steganography to obfuscate two executables and the shellcode for the second stage of the initialisation.
The Fruity malware could also bypass AV detection on the infected host and launch the Remco’s RAT payload through a tactic dubbed process doppelgänging.
The attackers could use the sequence to launch different malware strains. Hence, users should only download software solutions from trustworthy sources. The malicious attack was discovered after a researcher disclosed a malspam campaign that delivers the Agent Tesla malware to harvest sensitive information from infected endpoints.
The attack follows a wave of malvertising operations that target customers and businesses with unsecured software solutions boosted through ads on browsers.
These attacks include the new Nitrogen malware campaign that uses fraudulent ISO archives that spread via fake ads that impersonate download pages for several applications.
Cybersecurity experts warn everyone about the threats from sponsored ad results on popular search engines. Top search results on popular browsers do not necessarily mean it is legitimate. Therefore, users should double-check what they are looking for and only download from trusted sources.
