A newly discovered backdoor and credential-stealer is posing as a legitimate software download as part of an elaborate campaign to lure corporate workers into downloading malware. 

Researchers from Elastic Software observed the malware, dubbed LOBSHOT, being propagated through malicious Google Ads for popular remote-workforce applications like AnyDesk, they disclosed in a recent blog post.

"Attackers promoted their malware using an elaborate schemed of fake websites through Google Ads and embedding backdoors in what appears to users as legitimate installers," Elastic Software's Daniel Stepanic wrote in the post.

Moreover, the threat group TA505, known for spreading the Clop ransomware, appears to be behind LOBSHOT, a backdoor that appears financially motivated, stealing banking, crypto, and other credentials and data from victims, the researchers said. The fake download site used to spread LOBSHOT executed a DLL from download-cdn[.]com, a domain historically associated with the threat group — also known for its hand in the Dridex, Locky, and Necurs campaigns, they said.

Based on this other infrastructure tied to TA505 that's used in the campaign, the researchers "assess with moderate confidence" that LOBSHOT is a new malware capability leveraged by the group, Stepanic wrote. Moreover, researchers are seeing new samples related to this family each week, and "expect it to be around for some time," he wrote.

Leveraging Malicious Google Ads

Like similar threat campaigns observed earlier in the year, potential victims are exposed to LOBSHOT by clicking on Google Ads that purport to be for legitimate workforce software, such as AnyDesk. This tactic is similar to one observed in January spreading the malware-as-a-service Rhadamanthys Stealer through website redirects from Google Ads that also posed as download sites for popular remote-workforce software, such as AnyDesk and Zoom.

Indeed, the campaigns are linked to "a large spike" in the adoption of malvertising that security researchers have been observing since earlier this year, according to Elastic Search.

"Similar infection chains were observed in the security community with commonalities of users searching for legitimate software downloads that ended up getting served illegitimate software from promoted ads from Google," Stepanic wrote.

The activity reflects a trend of adversaries' persistence in abusing and increasing their reach "through malvertising such as Google Ads by impersonating legitimate software," he said.

Stepanic acknowledged that these types of malware may seem insignificant and have limited reach, but they end up packing a big punch through "fully interactive remote control capabilities" to help threat actors gain initial access to corporate networks and engage in other malicious activity.

LOBSHOT Infection Chain

The LOBSHOT infection chain begins when someone performs an Internet search for a legitimate software for which Google Ads delivers a promoted result that is actually a malicious site.

"In one observed instance, the malicious ad was for a legitimate remote desktop solution, AnyDesk," Stepanic explained. "Careful examination of the URL goes to https://www.amydecke[.]website instead of the legitimate AnyDesk URL, https://www.anydesk.com."

Clicking on that ad leads the user to a legitimate-looking landing page for a download for the software that the user was seeking. However, it's actually an MSI installer that, once downloaded, executes on the user's computer, the researchers said.

"The landing pages were very convincing, with similar branding as the legitimate software and included Download Now buttons that pointed to an MSI installer," Stepanic wrote.

MSI then launches a PowerShell that downloads LOBSHOT via rundll32, which begins communication with the attacker-owned command-and-control server, according to Elastic Software.

Evasion and Mitigation

One of LOBSHOT's core capabilities is around its hVNC (Hidden Virtual Network Computing) component, a module that allows for "direct and unobserved access to the machine," and is used by attackers as a way to evade detection, Stepanic noted.

"This feature continues to be successful in bypassing fraud-detection systems and is often baked into many popular families as plugins," he wrote.

Like most malware used currently, LOBSHOT also employs dynamic import resolution to evade security products and slow down the rapid identification of its capabilities, the researchers said.

"This process involves resolving the names of the Windows APIs that the malware needs at runtime as opposed to placing the imports into the program ahead of time," Stepanic wrote.

Researchers included links to various Elastic Search GitHub pages that demonstrate prevention tactics to avoid compromise by malware such as LOBSHOT related to its various processes, including Suspicious Windows Explorer Execution, Suspicious Parent-Child Relationship, and Windows.Trojan.Lobshot.

The post also includes directions that organizations can use to create EQL queries to hunt for similar suspicious behaviors related to the grandparent, parent, and child relationships that the researchers observed LOBSHOT executing.