A person wearing a black mask and hoodie, sneaking past a computer's security defenses.

LOBSHOT Malware Allows Unknown VNC Access To Windows Devices

LOBSHOT has recently been used by threat actors to spread malware and steal information for Windows via Google Ads, exposing how threat actors are utilising the platform to spread malware. The incident adds to the growing number of cases in which Google Ads have been utilised to deliver malicious payloads.

The attacker uses Google Ads and fake websites to spread malware via malvertising. They trick users into downloading installers containing backdoors that seem legitimate. 

Several popular software programs, including OBS, VLC, and 7-ZIP, were replicated on fake websites that distributed LOBSHOT malware. Instead of valid programs, the attacker utilised these websites to spread malware including Cobalt Strike, Gozi, and Vidar. These malicious payloads also included RedLine, SectoRAT, and Royal Ransomware

Since July 2022, LOBSHOT malware has been spread using fake Google advertisements for reputable software applications like AnyDesk. To spread the malware, advertisements like this attach viewers to a network of fake websites that the attacker controls.

Instead of AnyDesk’s official website, users are sent to a seemingly genuine page hosted on https://www.amydecke[.]com. The page has a download button that links to an MSI installer that is used to deploy the LOBSHOT malware.

Will Dormann spots a fake AnyDesk advertisement
Will Dormann spots a fake AnyDesk advertisement (MalwareHunter Team & Dormann)

Upon visiting the website, a malicious MSI file was downloaded. This file executes a PowerShell command that downloads a DLL file from download-cdn[.]com, a domain previously linked to the TA505/Clop ransomware group.  

LOBSHOT malware checks 32 cryptocurrency wallet extensions in Chrome, 9 in Edge, and 11 in Firefox. When it is discovered, a file in the C:ProgramData folder is executed. 

LOBSHOT malware uses dynamic import resolution to avoid detection.  The malware generates required Windows API names while it is active. Once executed, the malware performs an anti-emulation check of Windows Defender and exits its process if detected to prevent detection by anti-malware software.

Chain of LOBSHOT Malware Spreading
Chain of LOBSHOT Malware Spreading (Elastic) 

According to Elastic Security Labs report

We have observed over 500 unique LOBSHOT samples since last July. The samples we have observed are compiled as 32-bit DLLs or 32-bit executables typically ranging around 93 KB to 124 KB.

Elastic found that LOBSHOT contains an hVNC module that enables attackers to anonymously access compromised devices remotely in addition to stealing cryptocurrency extensions from vulnerable devices. 

LOBSHOT Malware with Remote Access Capability (hVNC) 

LOBSHOT uses hidden virtual network computing (hVNC) to let attackers operate on the infected system without the victim being aware of it. With its hidden activity, hVNC allows attackers to remotely access a system without knowing about it. 

Using a hVNC module, LOBSHOT gives threat actors remote mouse and keyboard access to a victim’s device’s hidden desktop. 

Elastic further said: 

At this stage, the victim machine will start sending screen captures that represent the hidden desktop that is sent to a listening client controlled by the attacker. The attacker interacts with the client by controlling the keyboard, clicking buttons, and moving the mouse, these capabilities provide the attacker full remote control of the device.

The threat actors can execute commands, steal data, and spread new malware payloads on the hacked device because they have complete control of it thanks to hVNC. The malware is likely used to obtain initial access to corporate networks and to spread laterally to additional devices because AnyDesk is a popular remote desktop application used in business environments. This type of unauthorised access can result in severe consequences such as ransomware attacks, data extortion, and other malicious activities. 

These attacks compromise the privacy of individuals and result in unexpected costs for victim companies and organisations. As a result, they continue to be a significant concern for many people, impacting daily lives. 

Successful ransomware attacks are most-often preceded by phishing emails. Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts