Cyber Security Threat Summary:
A newly discovered malware named 'LOBSHOT' can discreetly take control of Windows devices using hVNC and is being distributed through Google Ads. Cybersecurity researchers had earlier reported an increase in threat actors using Google ads to distribute malware through fake websites for popular applications such as 7-ZIP, VLC, OBS, Notepad ++, CCleaner, TradingView, Rufus, and others. These malicious sites pushed malware, including Gozi, RedlLine, Vidar, Cobalt Strike, SectoRAT, and the Royal Ransomware, instead of the intended applications.

“In a new report by Elastic Security Labs, researchers revealed that a new remote access trojan named LOBSHOT was being distributed through Google Ads. These ads promoted the legitimate AnyDesk remote management software but led to a fake AnyDesk site at amydeecke[.]website. This site pushed a malicious MSI file that executed a PowerShell command to download a DLL from download-cdn[.]com, a domain historically associated with the TA505/Clop ransomware gang. However, Proofpoint threat researcher Tommy Madjar previously told BleepingComputer that this domain had changed ownership in the past, so it is unclear if TA505 is still using it. The downloaded DLL file is the LOBSHOT malware and will be saved in the C:\ProgramData folder and then executed by RunDLL32.exe. "We have observed over 500 unique LOBSHOT samples since last July. The samples we have observed are compiled as 32-bit DLLs or 32-bit executables typically ranging around 93 KB to 124 KB," explains the Elastic Security Labs report” (Bleeping Computer, 2023).

Once activated, the LOBSHOT malware checks for 32 Chrome cryptocurrency wallet extensions, nine Edge wallet extensions, and 11 Firefox wallet extensions. After locating these extensions, the malware executes a file in C:\ProgramData, which Elastic, the cybersecurity firm, believes might be used for stealing the extension data or some other purpose. Additionally, the malware includes an hVNC module that allows attackers to remotely access the infected device surreptitiously. This feature is unusual as stealing cryptocurrency extensions is a more common tactic among such malware.

Security Officer Comments:
hVNC (hidden virtual network computing) is a type of remote access software that enables hackers to take control of a hidden desktop on an infected device without the user's knowledge. The recently discovered LOBSHOT malware uses an hVNC module, allowing hackers to remotely control the infected device as if they were in front of it. The attackers can execute commands, steal data, and deploy additional malware using this method. LOBSHOT is commonly distributed via phishing emails and is likely used to gain initial access to corporate networks and spread laterally to other devices. The use of hVNC could result in ransomware attacks, data extortion, and other security breaches.

Suggested Corrections:
Elastic Security Labs have published IOCs that can be used to detect the LOBSHOT malware:

https://www.elastic.co/security-labs/elastic-security-labs-discovers-lobshot-malware

Link:
https://www.bleepingcomputer.com/ne...hackers-hidden-vnc-access-to-windows-devices/