Malsmoke

Security researchers have noted a malware campaign recently changed tactics to spread a variant of the ZLoader malware (Sphinx) on popular adult websites.

The researchers called the campaign "Malsmoke." Malsmoke has been around since at least August of 2020, if not earlier. The original campaign saw hackers exploit kits to distribute the Smoke Loader malware dropper to victims. This approach changed in October when the team altered their course and instead used fake Java update programs on adult websites as a way to distribute ZLoader instead. ZLoader is one of the most notorious information stealing banking trojans around. The virus finds and exfiltrates banking details, login credentials, and other information from targets, including most financial institutions.

The campaign targets some of the most popular adult websites on the internet. The fake Java ads were discovered on Xhamster, an adult website that receives nearly a billion monthly visits. The ads were seen on other adult websites that receive millions of monthly visitors. Targeting high-traffic websites of any kind is an effective tactic to reach the most people possible.

Malvertising is a common form of malware distribution, so this attack pattern is nothing new. Malvertising refers to "Malicious Advertising" and sees malicious adverts distributed through questionable third-party ad provider services. Websites use these ad networks to generate revenue. Traditional advertising platforms like Google Ads don’t do business with adult websites, so they rely on these other ad providers. What does stand out about this attack, however, is that malvertising typically targets low-traffic websites. It is rare to come across an attack of this scale.

Experts note malvertising activity spiked in recent months. The current Malsmoke campaign stands out above the others because the criminals targeted high traffic websites to reach the most potential victims. The more people the malware was put in front of, the more likely it was that someone would download it. This is also the logic behind spam emails. Attackers send hundreds of thousands of emails in the hopes even a dozen people will bite.

Hackers rely on malvertising attacks because attacks that send people to exploit kits are effective. One problem with this approach is that there aren’t enough vulnerabilities for hackers to exploit. Such vulnerabilities are quickly discovered and addressed by software providers. Malvertising campaigns typically rely on old vulnerabilities for outdated web browsers like Internet Explorer.

Another reason that the Malsmoke campaign stands out is that it doesn’t rely on users using outdated Internet Explorer. People using browsers such as Google Chrome and Mozilla Firefox are vulnerable to the attack. Given that the popups appear on high traffic adult websites, there is a greater chance of infecting more people.

The Malsmoke campaign itself uses a decoy page that displays a number of adult images that look like adult movies to appear. Visitors are enticed by the ads and click on them, hoping to see more. When users attempt to play one of the videos, it opens a new browser window that plays the first few seconds of a pixelated video. A message appears telling users that they don’t have Java Plug-in 8.0 installed. Users are told to download and install a fake Java update called JavaPlug-in.msi. The file installs the ZLoader malware rather than any Java plugin. Hackers add an extra layer of obfustication by digitally signing the file as a Microsoft Installer. Anyone who gets to this point of the process is unlikely to notice that anything is wrong.

Researchers say that it is odd for the attackers to choose Java. Java is not associated with or used by video streaming services. However, people who click on the fake update likely won’t be aware of this and won’t think anything is wrong. This is all that matters to attackers. The one common point between every computer virus is that they rely on human error. Attackers must first exploit you before they can exploit your computer.

*/*Stay safe when browsing and consider using an adblocker to keep malvertising at bay. The potential for malicious ads is one of the most cited reasons people use adblockers, outside of ads being annoying and getting in the way. Some websites may demand you disable your ad blocker, but these websites are unlikely to have malicious ads in the first place.