LOBSHOT Malware Used in Malvertising Campaign

Earlier this year, Elastic Security Labs, in collaboration with the research community, detected a significant rise in the use of malvertising. Attackers utilized a sophisticated strategy of creating phony websites via Google Ads and embedding backdoors in what appeared to be legitimate installers to promote their malware. Among the malware families observed during this spike was LOBSHOT, which remains active and continues to target victims without drawing attention to itself.

One of LOBSHOT's key features is its hVNC (Hidden Virtual Network Computing) component, which enables direct and unobserved access to infected machines. This capability has proven to be highly effective in bypassing fraud detection systems and is often incorporated into popular malware families as plugins.

During the analysis, experts observed infrastructure that is known to be associated with TA505, a notorious cybercrime group responsible for Dridex, Locky, and Necurs campaigns. It was also discovered that LOBSHOT shares similarities with a loader known as Get2, which has previously been linked to the same domains as LOBSHOT. Based on these findings, researchers believe with moderate confidence that LOBSHOT is a new capability of TA505 and has been in use since 2022.

Infections caused by LOBSHOT typically begin with users searching for legitimate software downloads. However, they end up downloading illegitimate software from promoted ads via Google. Once the initial libraries are loaded, LOBSHOT performs an anti-emulation check on Windows Defender by verifying whether the computer name matches "HAL9TH" and the username matches "JohnDoe."

These values are hard-coded within the Defender emulation layer, and if detected, the malware stops running immediately. This type of verification has been employed in other stealers such as Arkei, Vidar, and Oski.

How Can Malvertising be Used to Spread Malware?

Malvertising is a type of cyber attack that involves the use of online advertisements to spread malware. Malware, short for malicious software, refers to any software that is designed to harm a computer system or network. Malvertising attackers use legitimate-looking ads to trick users into clicking on them, which then leads to the installation of malware on their devices.

Here are some ways malvertising can be used to spread malware:

• Exploiting vulnerabilities: Malvertisers can create ads that contain malicious code that exploits vulnerabilities in the user's browser, plugins or operating system. When a user clicks on the ad, the code executes and downloads and installs malware onto the user's device.
• Social engineering: Malvertisers can use social engineering tactics to trick users into clicking on ads. They can create ads that mimic legitimate software updates, antivirus scans or system messages. When the user clicks on the ad, they are directed to a fake website that prompts them to download malware.
• Drive-by downloads: Malvertisers can create ads that automatically download malware onto the user's device without the user's knowledge or consent. These drive-by downloads often take advantage of vulnerabilities in the user's browser or operating system.