Hackers bombing famous adult content sites, Mulsmoke campaign

A giant effort that was discovered over and over again this year It started small at first and small at first and now the Gloader is the last payload… Theft of separate accounts and personal details by malware

Tuesday, November 17, 2020, 2:29 GMT

A giant effort that was discovered over and over again this year It started small at first and small at first and
Now the Gloader is the last payload… Theft of separate accounts and personal details by malware

Cyber attackers have been attacking tourists to porn pages. It places ads on porn pages that are deceptive and lures people to enter malicious websites. Malware is compromised by users who visit this site.

In the context of a huge malvertising program called malsmoke, the assault campaign is being uncovered here and there during 2020. The technique has been updated for a while by inducing victims by phishing attacks to malicious sites, more recently by infecting victims through bogus Java updates.

The change of policy is said to have begun in mid-October. A banking malware called Zloader is downloaded the moment the user presses the update review button. Gloader is malware that exploits user credentials and various information that is confidential and personal. On Monday, the security firm Malwarebytes released an investigation report, explaining that the shift in tactic “looks like the aim of attackers to raise the number of victims dramatically.”

This malvertizing attack against adult sites occurs in the following order.
1) The victim accesses an adult site and clicks an adult video.

2) A new pop-up window appears, which looks like an unclear (blurred) image is hanging.

3) However, there are already a series of malicious behaviors in the background.

4) As a new pop-up window appears in 2), victims are connected to various malicious pages, and at the end they arrive at a fake adult site.

5) The blurry video plays fine for a few seconds, then suddenly an error message stating that the Java Plug-in 8.0 cannot be found appears.

6) Gloader is installed while victims press the update button.

The video that seems to have been blurred above is a 28-second MP4 file, and in order for users to click update, it is said to have been intentionally set to look fuzzy. “In fact, other bait may have been used by the attackers. I still don’t understand why Java was selected by me. And if Java has to do with multimedia material occasionally. I assume calling a video player that the public knows more would be more plausible.

JavaPlug-in.msi is the name of the file that attackers decorate as an upgrade and download to the victim’s device. It is a Microsoft installer that is professionally digitally signed, and it contains different libraries and executables. Most of these are legal and natural, according to Malwarebytes. It is called lic service.exe, one of the executable files. A file named HelperDll.dll is loaded directly after execution. This file plays a major role in the execution of the final payload of the attackers. This uses the curl library to import from moviehunters..site the encrypted payload.

This final payload is the previously mentioned Geroder. It injects itself into a new process called msiexec.exe after Gloader is installed, and attempts to link from there to the C&C server. It downloads and installs additional new modules after being paired, according to the attackers’ command.

In September, the Mulsmoke initiative was first launched. It was named Mulsmok at the time because it was used specifically as a malware called Smoke Loader. Nevertheless the actions of attackers that had been carried out previous to that time were continuously recorded. Initially, operators worked with poorly trafficked sites, but have moved their operations to more and more high-traffic sites in recent years. There were destinations with an average of 1 billion visitors per month in the case of adult sites where their footprints were found this time.

They will continue to extend their range of operations and mass-produce victims,” Malwarebytes claims. “What their attack tactics have in common is that they are cost-effective.

There are no really trendy, high-difficulty assaults. It’s inexpensive instead, and has a high rate of growth. As long as similar stuff appear to be achieved by powerful attackers. The operators of Mulsmoke can too.

Summary:

  1. There has been a large-scale campaign of malvertising assaults on adult pages.
  2. If the video is distorted and Java updates are triggered, 100 percent is an assault.
  3. A banking malware called Geroder is the final payload. It seems that the intention is to steal different data.