Ask Partner Network (APN) has been compromised twice within 2 month since 2016 November. Researcher’s Discovered deliver malware to computers running the Ask.com Toolbar.
First Attack took place at the November Reported by Red Canary security and discovered that Ask’s software was being co-opted by a malicious actor to execute malicious software on victims’ endpoints.
Once installed, the dropper would bring in secondary malware including banking Trojans and other online-fraud.
Attackers who were trying to turn the Ask.com Toolbar into a malware dispensary got caught early on when their scheme was picked up by security services that were looking for anomalies.
Second Attack initiate RAT in victim’s PC
Carbon Black Detected and Reported that attackers used this RAT to open a reverse command shell on the victim’s computer. All of this happened in 60 seconds after the delivery of the malicious update.
“Carbon Black Threat Research team confirmed this to be a continuation of the earlier activity, and indicative of a sophisticated adversary based on the control of a widely used update mechanism to deliver targeted attacks using signed updates containing malicious content.”
Second Attack Detected that originated from the APN Updater using malware signed with the certificate issued .
Less Than 60 Seconds to Gain Access
Carbon Black Reported that ,We have warned about the dangers of Potentially Unwanted Programs and Applications (PUP/PUA) several times but this breach provides direct evidence that a threat actor is making use of PUPs and their infrastructure for more targeted and highly malicious activities.
“Within one minute of gaining access to the target endpoint the attacker had launched a remote command shell and within 45 minutes “ of initial access they had captured credentials and were moving laterally in the network.
The RAT utilized as a part of this second assault was marked by the APN testament issued after the primary Attack, which in all likelihood implies the assailants kept up an a dependable balance on APN’s system after designers cleaned servers after the principal Attack.