LOBSHOT Malware Discovered via Malvertising Investigation

Elastic Security Labs researchers have recently discovered a new malware called LOBSHOT during their thorough investigation of an increase in malvertising campaigns. LOBSHOT is of particular interest because it grants threat actors hidden VNC (Virtual Network Computing) access to infected devices. The researchers also found connections between the malware and TA505, a financially motivated cybercriminal group known for deploying various ransomware and banking trojans.

Spike in Malvertising Campaigns

Malvertising campaigns have been growing in number, and their stealthy nature makes it difficult for users to differentiate between legitimate and malicious advertisements. Security researchers have observed that this rise may be attributed to threat actors selling malvertising-as-a-service, further highlighting the importance of being vigilant when interacting with online ads.

Throughout their research, Elastic Security Labs observed a prominent spike in malvertising campaigns utilizing exploit kits to target specific vulnerabilities in widely used applications. These campaigns have been increasingly observed on several popular websites, exposing millions of users to potential threats. Typically, visitors of these websites encounter malvertisements that, when clicked, redirect to an exploit kit landing page where LOBSHOT eventually executes on the user's device.

TA505 Infrastructure

TA505, the cybercriminal group suspected of being behind the development and deployment of LOBSHOT, has long been recognized for its wide-ranging malicious activities. This group is known for its well-organized and diverse range of attack campaigns, specifically focusing on financial institutions as their primary targets but also extending their malicious activities to other industries.

Following the analysis of LOBSHOT, Elastic Security Labs found clear overlaps between the malware's infrastructure and previously identified TA505 infrastructure. The similarity in attack methodologies and overlapping infrastructure gives credence to the hypothesis that TA505 is responsible for the development and active use of LOBSHOT.

Hidden VNC Access

One of the most concerning aspects of LOBSHOT is its capability to grant threat actors hidden access to victims' devices through VNC. This specific feature allows attackers to gain remote access to an infected device while bypassing user consent, providing them with the ability to monitor, manipulate, and exfiltrate sensitive data without the user's knowledge. The hidden VNC access makes LOBSHOT a powerful and dangerous tool in the arsenal of cybercriminals, particularly those with financial motivations.

Distribution Method

The distribution method of LOBSHOT malware has been observed to involve deceptive tactics, leveraging Google Ads and fake websites to entice unsuspecting victims. These techniques further demonstrate the sophistication and adaptability of the threat actors behind this malware, making it even more critical for end users to be cautious when browsing and clicking on advertisements.

Fake Websites through Google Ads

One of the primary ways LOBSHOT is being distributed is through the use of fake websites promoted via Google Ads. The threat actors create and maintain these counterfeit websites, which are designed to mimic legitimate websites and services. By exploiting the Google Ads platform, the adversaries can display their malicious advertisements to unsuspecting users who may click on the ads under the impression that they are genuine, leading to the installation of the LOBSHOT malware on their devices.

Redirecting Users to Fake AnyDesk Domain

Aside from using fake websites, the distribution process for LOBSHOT malware also involves redirecting users to a counterfeit AnyDesk domain. AnyDesk is a popular remote desktop application that many businesses and individuals rely on for remote access and support. The threat actors have taken advantage of this trust by creating a fictitious AnyDesk domain to deceive users into downloading a malicious version of the software, which is actually LOBSHOT malware. This method further highlights the cunning tactics used by these cybercriminals to ensnare victims and execute their malicious activities.

Installation through Compromised System

In some cases, the LOBSHOT malware can be installed on a victim's device through a compromised system. This might occur if the user unknowingly visits or downloads content from a website that has been infected by the malware or if they have become a target of a spear-phishing campaign. Once the malware has successfully infiltrated the victim's device, it can grant hidden VNC access to the threat actor, who can then remotely control and manipulate the system as desired.

LOBSHOT’s Capabilities

LOBSHOT malware boasts a range of formidable capabilities that make it adept at infiltrating and exploiting user devices. The malware focuses primarily on hidden Virtual Network Computing (hVNC), allowing the attackers to remotely control infected devices and access their user interface. The core capabilities of LOBSHOT include:

Hidden Virtual Network Computing (hVNC)

At the heart of LOBSHOT's functionality is its capacity to provide hidden VNC access to victim devices. Through hVNC, attackers are granted a covert method of remotely controlling a device without the consent or knowledge of the victim. The hVNC feature makes LOBSHOT particularly dangerous, as it allows bad actors to maintain a stealthy presence on compromised devices while carrying out various nefarious activities.

Remote Control of the Device

LOBSHOT's hVNC capabilities enable attackers to take full control of infected devices, executing commands, making changes, and accessing resources as if they were the legitimate user. This level of control allows the threat actors to carry out a wide range of malicious activities, including data exfiltration, installing additional malware, and conducting espionage campaigns. The ability to remotely control a victim's device underscores the significant threat posed by LOBSHOT.

Full Graphic User Interface (GUI)

The malware also has the ability to access the full graphic user interface (GUI) of the target device, which means the attacker can visually interact with the device's desktop environment. This feature adds another layer of efficiency and control to the malware by making it easier for the threat actor to navigate and manipulate the compromised device. The access to the full GUI enables the attacker to monitor user activities, access sensitive information, and perform actions attributed to the legitimate user, further emphasizing the perniciousness of LOBSHOT.

Mitigation and Concerns

LOBSHOT malware presents significant concerns to both individual users and organizations, owing to its hidden VNC capabilities and association with financially motivated threat actors such as TA505. Mitigation and addressing these concerns involve understanding the potential risks and implementing appropriate defensive measures, as well as calling for stricter regulations on platforms such as Google Ads.

Stealing Banking and Financial Information

One of the primary concerns surrounding LOBSHOT is its potential to steal banking and financial information from infected devices. Its hidden VNC access allows attackers to infiltrate devices undetected, monitor user activities, and capture sensitive data such as login credentials, account numbers, and transaction details. Such information can be exploited for economic gain or used in further attacks, such as credential stuffing or phishing campaigns.

Calls for Stricter Ad Regulation on Google

In response to the growing threat of malware distribution through Google Ads, several researchers and security professionals have called for Alphabet, Google's holding company, to impose stricter regulations on the approval of advertisements. Implementing more robust ad screening processes and verification mechanisms can help minimize the spread of malware like LOBSHOT and reduce the risk of unsuspecting users falling victim to such threats. In the meantime, end users should take precautions by verifying the legitimacy of the domain they are visiting and the software they are downloading.