Cybersecurity researchers from HP Wolf Security have warned of several active campaigns looking to deliver different types of malware (opens in new tab) to unsuspecting victims via typosquatted domains and malvertising.
The team explained in a blog post (opens in new tab) how they found threat actors creating multiple typosquatted websites impersonating popular software such as Audacity, Blender, or GIMP.
The scammers also paid different ad networks to run ads, promoting these fake websites. That way, when people search for these programs, search engines might end up serving malicious versions of the websites right next to legitimate ones. If a user isn’t careful and does not double-check the URL of the website they’re visiting, they might end up in the wrong place.
If victims do end up in the wrong place, they’ll hardly notice the difference. The websites are designed to look almost identical to the authentic ones, down to the tiniest detail. In Audacity’s example, the site hosts a malicious .exe file masquerading as the program’s installer. It is named “audacity-win-x64.exe” and is more than 300MB in size.
By being this big, the attackers try to avoid raising suspicion (malware is usually measured in KB), but also try to avoid antivirus programs. According to the researchers, some antivirus programs’ automatic scanning features don’t scan extremely large files.
The files are hosted on the 4sync.com cloud storage service, the researchers said, adding that all the fake installers in this campaign have been hosted there, hinting that a good defense mechanism might be to block access to this service entirely.
In the campaign, different types of malware are distributed. The largest campaigns the researchers have seen used this delivery approach to deploy the IcedID trojan, but the Vidar infostealer, BatLoader, and Rhadamanthys Stealer, have all been observed. According to HP Wolf Security, there’s been an uptick in these campaigns since November last year.