Security Week 11: search engine malware

On February 20, a resonant post appeared on Habré with examples of ads in search results at the request of users who want to download common software. Sponsored links led to third-party resources, and not to the official website of the developer. The author of the post did not check whether the distributed programs were malicious, and a Yandex comment indicated that ads of this kind were checked before publication. Most likely, sites that receive commission from software developers for installing programs are advertised on popular queries.

Last week, Kaspersky Lab researchers showed what happens if the software in a similar scenario still turns out to be malicious. The article describes the XCore backdoor and explicitly states that in order to increase traffic to websites mimicking the original, attackers placed advertisements on search engines. But without specifying which ones and when. Therefore, an important disclaimer: specific examples in the article from the link above and the Kaspersky Lab study are most likely not related.

A massive campaign to distribute the XCore backdoor involved creating pages that mimic the official websites of popular software developers: mention Discord, TeamViewer, DaemonTools and VLC Media Player. The only noticeable difference from the original was the lack of active links, except for one - leading to the download of the program.

The downloadable installer contains the required legitimate program and a separate backdoor installer. When launched in Windows Scheduler, a task is created to call a malicious program every two minutes. The set of backdoor functions is traditional: it allows you to connect to the infected system remotely via the RDP protocol, executes instructions from the command server, can launch arbitrary applications, change the settings of the firewall. An interesting feature was interaction with browsers: a backdoor is able to emulate user actions, such as opening web pages and clicking on advertising links.

Kaspersky Lab security tools identify this program as Backdoor.MSIL.XCore. The vast majority of malware blockings occurred on the territory of Russia, only a few cases were observed outside it. This is the third massive XCore backdoor distribution campaign, the previous ones were recorded in the summer of 2019 and at the end of 2018.

A study of sponsored links to "hot" search requests for software downloads showed that in addition to the XCore backdoor, users run the risk of installing slightly less dangerous, but more annoying, adware from the Maombi family. This software is often advertised on sites with legitimate collections of programs in a way familiar to visitors - when on the download page (what you need) it is not easy to distinguish the real download button from the fake one, which is part of the advertising banner, as in the screenshot above. The screenshot below shows an example of such an installer. Adware is installed regardless of the user's choice, even if you click the "Refuse" button or close the window.

What else happened

Positive Technologies found a vulnerability in the Intel Converged Security and Management Engine module ( news , post on the company’s blog on Habré). According to researchers, the vulnerability is present in all Intel chipsets and SoCs, except for the latest 10th generation solutions, and cannot be fixed with a software update. A patch for a similar vulnerability limits only the possibility of exploitation. The company promised to publish technical details later.

The next driver update for NVIDIA video cards under Windows closes several dangerous vulnerabilities .

Cisco shut downvulnerabilities that allow arbitrary code to be executed in utilities for working with the Webex service. Players of video files generated by the results of an online conference can be used to attack using a prepared file.

The free encryption service Let's Encrypt was going to revoke 3 million issued certificates due to an error in the process of website validation. By the initial deadline (March 4), 1.7 million certificates were renewed. The remaining feedback was postponed so as not to cause the sites to become inoperative. Now the plan is: notify owners of affected sites to renew certificates as soon as possible, but the whole process will be completed in three months, since Let's Encrypt certificates in any case last no longer than one quarter.

A serious vulnerability was discovered and closed in the Netgear Nighthawk 2016 router . The manufacturer does not disclose details (except that it is about executing arbitrary code remotely), you can download the patch here .

In March security update for Android is closed vulnerability in the devices on the Mediatek platform. According to XDA Developers , the problem has been used to obtain root rights for several months, including in malware.

Troy Hunt changed his mindSell ​​your Have I Been Pwned service to check for leaked accounts and passwords. After negotiations with a potential buyer, the parameters of the transaction were “impracticable”, the service will continue to exist in the status of an independent.

Microsoft describes in detail "manual" crypto attacks on a business ( news , research ). This time, this is not about automated attacks by ransomware trojans, but about an individual approach, when unique hacking tactics are applied to a specific victim, and the ransom price is set based on solvency. An interesting observation on attack speed: all stages from the first penetration to full control take an average of one hour.

Vulnerability in Zoho Mobile Device Management Software with Drama Elements. The researcher published information about the problem and posted an exploit without informing the developers of the service and software due to “bad experience” in the past.