In a new report by Elastic Security Labs, researchers revealed that a new remote access trojan named LOBSHOT is being distributed through Google Ads allowing threat actors to stealthily take over infected Windows devices using hVNC.
Fake ads promoting the legitimate AnyDesk remote management software leads victims to a site that pushes a malicious MSI file that downloads the DLL LOBSHOT file.
If Microsoft Defender is not detected, the malware will start automatically when logging into Windows and transmit system information, including running processes, and check for wallet extensions.
LOBSHOT then deploys an hVNC module allowing access to the hidden desktop as if they were in front of it. At this point the threat actors have complete control over the device, allowing them to execute commands, steal data, and even deploy further malware payloads and spread laterally to other devices to lead to other attacks.
Dave Ratner, CEO, HYAS had this comment:
“Remote access trojans and other nefarious attacks delivered via Google Ads are becoming more common. While difficult to spot and detect initially, having the visibility into outbound, anomalous communication via Protective DNS solutions can prove critical to identifying these types of attacks and stopping them before they steal data, deploy further malware payloads, and spread laterally through the organization.”
Roy Akerman, Co-Founder & CEO, Rezonate follows up with this comment:
“Ads as a delivery mechanism and LOBSHOT as the exploiting malware is a pattern we’ve seen many times due its success rates. Most often, users reduce their guards once they see a sponsored ad in Google or any familiar social platform, assuming thorough checks have been made by the company to assure authenticity and security. However, time and time again, we see this technique used. Early this year we saw ransomware groups, specifically threat actor tracked as DEV-0569 and others to use Google Ads for distribution. The Ads vary from AnyDesk to Zip software, FileZilla, WinRAR, and those very common and free to use tools.
“This hVNC module used for exploiting and gaining access is similar to ransomware techniques and the RDP protocols that are most often available and unrestricted. Restriction of specific, known to be vulnerable applications should be either restricted or closely monitored in addition to the ability to identify abnormal malicious attempts to exploit on every endpoint such as the push of an MSI file or in memory DLL.”
Reading this report by Elastic Labs illustrates the need for enhanced detection and prevention of these payloads so that they never get to their intended targets. Otherwise, based on the report, this malware is going to be a serious problem for many organizations.