Monday, November 4, 2024
HomeBotnetPop-up Ads & Hundreds of Websites Helping to Distribute Botnets, Cryptocurrency Miners...

Pop-up Ads & Hundreds of Websites Helping to Distribute Botnets, Cryptocurrency Miners and Ransomware

Published on

Malware protection

A Malicious Software Downloader called ICLoader through Popup Ads and over hundreds of websites are pushing various PUA such as Botnets, cryptocurrency Miners and also a emerging GandCrab ransomware.

Malware Files are sharing via Popup Ads and distributing over Hundreds file sharing websites and fake software sharing sites and advertisement maker websites which all are still alive.

Malicious ICLoader Targeting a specific set of software users and it pop-up malicious ads with those software names in a compromised website that contain a high visitors traffic.

- Advertisement - SIEM as a Service

There are 3 main sources attackers used to Distribute the ICLoader

  1. Pop-up ads on free file sharing service websites that are used for distributing the malicious software where users can upload the malicious files and generating a download link.
  2. The second method of distributing fake software sharing websites. In this case, attackers create 117 websites and each sites sharing hundreds of malicious software.The sites list detailed descriptions of software and have ‘free download’ buttons to the cracked versions at the bottom of the page and it redirects to downloader software, mainly ICLoader.
  3. Two Torrent sharing websites that mimic real torrent download websites that distributing ICLoader from the link that leads to download ICLoader.

How ICLoader installation works via Popup Ads

Once the victims click the link, it redirects to traffic management server where a user will reach the ICLoader page and link will drop the ICL Downloader.

Also, ICLoader has a different hash value every time it is downloaded from the server and  ICLoader server distribute a zip archive which contains the ICLoader software.

According to TrendMicro, The ICLoader file has the name of the software that the victims originally intended to download, which is part of the ruse to convince victims that the download is legitimate. Once victims execute the ICLoader file, they will see the typical software installation instructions and steps. All of the PUA software we tracked were also signed with a valid COMODO certificate, which adds to the appearance of validity.

Later ICLoader downloads and installs the legitimate software and later it communicates with C&C Server to receive an aditional malicious files.

This ICLoader previously installed either installed or additionally loaded seven different groups of botnets, four different cryptocurrency miners, and the GandCrab ransomware

Cryptocurrency miner download link contains a shortened URL  shortened URLs show that the miner botnet has around 80 thousand victims that constantly load their miner and mine for them every day.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy...

A Massive Hacking Toolkit From “You Dun” Threat Group Developed To Lauch Massive Cyber Attack

The "You Dun" hacking group exploited vulnerable Zhiyuan OA software using SQL injection, leveraging...

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Researchers discovered a Russian-linked threat actor, UNC5812, utilizing a Telegram persona named "Civil Defense....