Cybersecurity researchers from HP Wolf Security have warned of several active campaigns seeking to deliver various types of malware (Opens in a new tab) to unsuspecting victims via typographical domains and false advertisements.
the team explained in a blog post (Opens in a new tab) How they found threat actors that create multiple typographical websites impersonating popular programs like Audacity, Blender, or GIMP.
The scammers have also paid various ad networks to run ads and promote these fake websites. This way, when people search for these programs, search engines may end up presenting malicious versions of websites next to legitimate ones. If the user is not careful and does not double-check the URL of the website they are visiting, they may end up in the wrong place.
If victims end up in the wrong place, they will hardly notice the difference. The websites are designed to look almost identical to the original websites, down to the smallest detail. In the Audacity example, the site hosts a malicious .exe file masquerading as the program’s installer. It’s called “audacity-win-x64.exe” and it’s over 300MB in size.
By being this large, attackers are trying to avoid arousing suspicion (malware is usually measured in kilobytes), but they are also trying to avoid antivirus software. According to the researchers, some antivirus software’s automatic scanning features don’t scan files that are extremely large.
The files are hosted on cloud storage service 4sync.com, the researchers said, adding that all of the fake installers in this campaign were hosted there, hinting that a good defense mechanism might be to block access to that service altogether.
In the campaign, various types of malware are distributed. The largest campaigns researchers saw used this delivery method to spread the IcedID Trojan, but Vidar infostealer, BatLoader, and Rhadamanthys Stealer were all noted. According to HP Wolf Security, there has been an uptick in these campaigns since November last year.