Threat actors use malvertising and modal dialogs to social engineer corporate users into installing a malicious browser extension, delivering a MSIX installer that masquerades as legitimate software. The campaign impersonates well-known brands (such as WSJ, SAP Concur, BlackRock, CNN, Asana, and Google Meet) and chains obfuscated PowerShell scripts to fetch NetSupport RAT, enabling data exfiltration and potential further malware deployment. #WSJ #BlackRock #SAPConcur #ThreatDown #NetSupportRAT
Keypoints
- Ad-based social engineering tech via sponsored search results leads users to a malicious domain masquerading as a legitimate brand.
- Malvertising infrastructure and decoy sites impersonate corporate brands (WSJ, SAP Concur, CNN, Asana, BlackRock, Google Meet) to recruit victims.
- A modal dialog claims that a “special browser extension” is required to access content, prompting installation of a malicious MSIX package.
- The MSIX installer WSJ.msix appears legitimate but delivers an obfuscated PowerShell payload rather than a true extension.
- PowerShell scripts contact a remote host to download NetSupport RAT, with each script using different obfuscation techniques.
- NetSupport RAT exfiltrates data and can be leveraged by initial access brokers to deploy additional tools or ransomware.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Link – Social engineering via a Google sponsored ad leading to a malicious page that prompts extension installation. ‘That Google ad link redirects to a cloaking service followed by another domain meant to isolate traffic before forwarding the user to the final URL.’
- [T1189] Drive-by Compromise – Malvertising campaigns intensify and use social engineering to trick users into visiting malicious sites. ‘Malvertising activities have intensified during the past several months… using social engineering techniques to trick users.’
- [T1027] Obfuscated/Compressed Files and Information – Obfuscated payloads used in PowerShell scripts. ‘am obfuscated PowerShell script.’
- [T1059.001] PowerShell – PowerShell scripts download and execute payloads to fetch NetSupport RAT. ‘PowerShell script connects to its command and control server domain to retrieve NetSupport RAT.’
- [T1105] Ingress Tool Transfer – Downloading NetSupport RAT and related tooling on infection. ‘to download NetSupport RAT changes as well.’
- [T1041] Exfiltration – RAT exfiltrates data from the infected machine. ‘NetSupport RAT exfiltrates data about the victim’s machine.’
- [T1071.001] Web Protocols – C2 communication over web protocols to retrieve and operate RAT. ‘NetSupport RAT C2s…’
Indicators of Compromise
- [Domain] Decoy sites – wsj.wf, wsj.re, wsj.pm, wsj.wales, concur.pm, concur.re, concur.cfd, meet-go.click, blackrock.wf, blackrock.re, meet-go.org, meet-go.link, asana.tel, asana.wf, asana.pm, cnn-news.org
- [IP Address] Hosts – 103.35.191.28, 103.113.70.142, 103.113.70.37, 86.104.72.154, 94.131.101.65
- [URL] Download URLs – cdn1124.net/files/WSJ.msix, cdn1124.net/files/SAPConcur.msix, cdn1124.net/files/netsupport25.zip, cdn1124.net/files/Asana.msix, cdn41.space/files/CNN.msix
- [File] Malicious installers – WSJ.msix, SAPConcur.msix, Asana.msix, CNN.msix, GoogleMeet.msix
- [PowerShell Script] Scripts – CHDLSHtWbSRCfzJMtDO.ps1, WqZxLxZrOrnMWYaBaBKdLenVTu.ps1
- [Network] NetSupport RAT download domains – cdn1701.com, cdn1124.net, eprst251.boo
- [IP] NetSupport RAT C2 – 109.107.170.126
Read more: https://www.threatdown.com/blog/corporate-users-targeted-via-malicious-ads-and-modals/