A recent post published on http://blog.0x3a.com/ it was described a new njRat campaign using old tactics, making use of compromised websites as a third layer, communication proxy.
Using FakeAV tactics was in vogue some years ago, but it seems that not all of them disappeared, and the last post on http://blog.0x3a.com proves exactly that. The infection can arrive from almost any “corner” of the web, like SPAM emails, Chat messages, SMS, etc. etc., but in the case of this post, it wasn’t given any news about the received method.
When visiting the compromised and indicated website the user is greeted with a pop-up alert:
As a typical FakeAV after a pop up like the one above the browser will show like a Windows XP alike My computer and will say that the PC is full of virus
And when clicking any of the buttons of the page software called “Antivirus2015.exe” will be downloaded:
When running the fake antivirus so-called “Antivirus2015.exe” a pop-up will appear with fragmented English (what is strange for an AV brand…) saying “Your Computer not found of virus”
One of the persistent methods of this FakeAV it’s that he adds itself in the startup, to be able run ever time you turn on the PC, via MSConfig it can be seen a new entry:
Investigating further, the author went to check the code and found out that the “main” function does:
As a concluding note, let me say that the old methods of 2005 can be called the new methods of 2015. because random users can forget old threats, or because it was from 10 years ago, or because they never face it before, but keep in mind that old methods are coming back to life, like the case of Excel/Word macros.
You can check the full post by checking the blog here: http://blog.0x3a.com/post/120423677154/unusual-njrat-campaign-originating-from-saudi
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – njRat, cybercrime)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.