Magnat Attack planting Backdoor

Researchers have identified malvertising campaigns using fake installers of popular games and applications, such as WeChat, Viber, Battlefield, and NoxPlayer, to lure users into downloading an undocumented, malicious Google Chrome extension and a backdoor.

Advertisements

The objective is to steal data and credentials from the compromised system and maintain remote access. Cisco Talos researchers named this campaign Magnat because the malware payloads are tied to an unidentified actor using the alias Magnat.

Victims are lured through malvertising, which involves malicious online ads, to download fake installers onto their systems. These installers do not install the advertised software but three forms of malware, including a password stealer, a malicious browser extension, and a backdoor.

These enable keylogging and capture screenshots of whatever is displayed on the user’s screen. The actors use a password stealer called Redline. This is a common malware known for stealing all the usernames and passwords stored in the infected device.

Researchers noted that Magnat previously used Azorult password stealer and then switched to Redline after Azorult stopped functioning correctly after Chrome 80’s release in Feb 2020 and in this year targetting YouTubers with cookie stealer attack abusing remoting tools for stealing crypto Currencies

As for the Magnat attack, apart from Redline Stealer, threat actors also distribute malicious Chrome extensions called MagnatExtension programmed to capture screenshots and record keystrokes. It also masquerades as Google’s Safe Browsing and comes with various features such as stealing form data, harvesting cookies and executing arbitrary JavaScript code.

The extension uses a hardcoded C2 address, which is quite interesting as it can be updated with a list of additional C2 domains, and if it fails, the C2 falls back to an alternative method of obtaining a new C2 address after performing a Twitter search for hashtags like “#ololo2019 and #aquamamba2019.”