An enormous malware (opens in new tab) distribution campaign has been detected leveraging more than 200 malicious domains and impersonating more than two dozen global brands to distribute all kinds of malware for both Android (opens in new tab) and Windows operating systems.
Cybersecurity researchers from Cyble first spotted the campaign seeking to distribute various malware among Android users.
In the campaign, the unknown threat actors set up countless domains that seem almost identical to real domains belonging to major brands such as PayPal, SnapChat, TikTok, and others. The domains only have a single character that’s different, that’s missing, or that’s extra.
Android and Windows users attacked
This type of fraud is usually called “typosquatting” and it’s used in all kinds of attacks, for example, on GitHub, where attackers create repositories with names almost identical to legitimate repositories, to try and distribute malware.
BleepingComputer then expanded on this research to find numerous other domains distributing malware among Windows users, as well. The exact advertisement method for these domains is unknown, but the publication suggests it’s either the victims themselves mistyping the domains on their devices, or threat actors engaging in phishing and other forms of social engineering. We shouldn’t forget SEO poisoning, though.
It was also determined that the threat actors used this big typosquatting campaign to deliver all kinds of malware. In some cases, they were distributing the Vidar Stealer, and in other – Agent Tesla. Vidar is capable of stealing banking information, stored passwords, browser history, IP addresses, details about cryptocurrency wallets and, in some cases, MFA information, as well. Agent Tesla, first discovered some eight years ago, is capable of stealing credentials from many popular apps including web browsers, VPN software and FTP and email clients.
The researchers believe the threat actors are currently experimenting with different malware variants until they see what works best. Besides malware, the researchers also found the ethersmine[.]com website which tries to steal seed phrases for people’s Ethereum wallets.
Via: BleepingComputer (opens in new tab)
