Security experts from Carbon Black have spotted a new Adware campaign leveraging on very sophisticated obfuscation techniques.
The Adware campaign was used by crooks to spread ransomware and according to the malware researchers using tactics to similarities to the nation-state attack known as Operation Aurora.
“Just for fun, I asked my customer to the run the query: cmdline:copy AND cmdline:/b. Cb Response showed they had three hits. I bolted upright in my chair. Three years ago, I stumbled upon this attack vector and I’d never seen it since… until last week.” continues the report.
“As we began to triage the event, we began to see .dat files being joined to form all sorts of unusual file types including .txt, .png, .log, .ico, & .dll files. It was highly irregular”
“So, now for the ‘stranger’ part. As we began to walk backward up the process tree, we began noticing that the parent processes launching these rather advanced obfuscation techniques were ‘routine’ adware, flagged multiple times by Virus Total.”
The experts from Carbon Black received other similar support requests from their customers that experienced the same attack. According to the malware researchers, the victims from several industries were targeted by variants of adware used to deliver the Enigma ransomware.
According to the lead of the Advanced Consulting Team for Carbon Black, Benjamin Tedesco, the obfuscation techniques borrowed by the Operation Aurora were able to easily evade sandboxing and other detection mechanisms.
Once compromised the target machine, the malware used in the campaign was able to drop more payloads to perform other malicious activities.
This campaign is the demonstration that even behind an adware campaign, it is possible to find a very sophisticated threat.
(Security Affairs – Adware, Hacking)