恶意广告最新手法：伪装Windows门户传播恶意安装工具

A new malvertising campaign has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z.

发现了一起新的恶意广告活动，利用伪造的网站假冒合法的Windows新闻门户，传播一个名为CPU-Z的流行系统配置工具的恶意安装程序。

"This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection," Malwarebytes' Jérôme Segura said.

“这一事件是一个更大的恶意广告活动的一部分，该活动以其基础设施（域名）和用于规避检测的伪装模板来瞄准其他实用程序，如Notepad++、Citrix和VNC Viewer，” Malwarebytes的Jérôme Segura表示。

While malvertising campaigns are known to set up replica sites advertising widely-used software, the latest activity marks a deviation in that the website mimics WindowsReport[.]com.

虽然恶意广告活动通常会建立广告常用软件的复制站点，但最新的活动标志着一个变化，即该网站模仿了WindowsReport[.]com。

The goal is to trick unsuspecting users searching for CPU-Z on search engines like Google by serving malicious ads that, when clicked, redirect them to the fake portal (workspace-app[.]online).

目标是通过提供恶意广告来欺骗在搜索引擎（如Google）上搜索CPU-Z的不知情用户，点击广告后将其重定向到伪造的门户（workspace-app[.]online）。

At the same time, users who are not the intended victims of the campaign are served an innocuous blog with different articles, a technique known as cloaking.

与此同时，未成为该活动目标的用户会被提供一个无害的博客，其中包含不同的文章，这是一种称为伪装的技术。

The signed MSI installer that's hosted on the rogue website contains a malicious PowerShell script, a loader known as FakeBat (aka EugenLoader), which serves as a conduit to deploy RedLine Stealer on the compromised host.

托管在恶意网站上的签名MSI安装程序包含一个恶意的PowerShell脚本，一个名为FakeBat（又名EugenLoader）的加载程序，它充当一条通道，用于在受影响的主机上部署RedLine Stealer。

"It is possible the threat actor chose to create a decoy site looking like Windows Report because many software utilities are often downloaded from such portals instead of their official web page," Segura noted.

“有可能威胁行为者选择创建一个看起来像Windows Report的伪装网站，因为许多软件实用程序通常是从这些门户而不是官方网页上下载的，” Segura指出。

This is far from the first time deceptive Google Ads for popular software have turned out to be a malware distribution vector. Last week, cybersecurity firm eSentire disclosed details of an updated Nitrogen campaign that paves the way for a BlackCat ransomware attack.

这绝非第一次欺骗性的Google广告将流行软件变成恶意分发向量。上周，网络安全公司eSentire披露了一个更新的Nitrogen活动，为BlackCat勒索软件攻击铺平了道路。

Two other campaigns documented by the Canadian cybersecurity firm show that the drive-by download method of directing users to dubious websites has been leveraged to propagate various malware families like NetWire RAT, DarkGate, and DanaBot in recent months.

加拿大网络安全公司记录的另外两个活动显示，引导用户访问可疑网站的drive-by下载方法已经被用于传播最近几个月中的各种恶意软件，如NetWire RAT、DarkGate和DanaBot。

The development comes as threat actors continue to increasingly rely on adversary-in-the-middle (AiTM) phishing kits such as NakedPages, Strox, and DadSec to bypass multi-factor authentication and hijack targeted accounts.

与此同时，威胁行为者继续越来越多地依赖于Adversary-in-the-Middle（AiTM）网络钓鱼工具，如NakedPages、Strox和DadSec，以绕过多因素身份验证并劫持有针对性的帐户。

To top it all, eSentire also called attention to a new method dubbed the Wiki-Slack attack, a user-direction attack that aims to drive victims to an attacker-controlled website by defacing the end of the first para of a Wikipedia article and sharing it on Slack.

此外，eSentire还引起了一种名为Wiki-Slack攻击的新方法的注意，这是一种用户定向攻击，旨在通过毁坏维基百科文章的第一个段落的末尾并在Slack上分享它来将受害者引导到攻击者控制的网站。

Specifically, it exploits a quirk in Slack that "mishandle

the whitespace between the first and second paragraph" to auto-generate a link when the Wikipedia URL is rendered as a preview in the enterprise messaging platform.

具体来说，它利用Slack中“错误处理第一个和第二个段落之间的空白”来在企业消息平台中将维基百科URL呈现为预览时自动生成链接的漏洞。

It's worth pointing out that a key prerequisite to pulling off this attack is that the first word of the second paragraph in the Wikipedia article must be a top-level domain (e.g., in, at, com, or net) and that the two paragraphs should appear within the first 100 words of the article.

值得注意的是，实施此攻击的一个关键前提是维基百科文章的第二段的第一个单词必须是顶级域（例如in、at、com或net），并且这两个段落应出现在文章的前100个字内。

With these restrictions, a threat could weaponize this behavior such that the way Slack formats the shared page's preview results points to a malicious link that, upon clicking, takes the victim to a booby-trapped site.

在这些限制下，威胁可以利用此行为使Slack格式化共享页面的预览结果指向一个恶意链接，点击该链接会将受害者带到一个设置了陷阱的网站。

"If one does not have ethical guardrails, they can augment the attack surface of the Wiki-Slack attack by editing Wikipedia pages of interest to deface it," eSentire said.

“如果没有伦理限制，他们可以通过编辑感兴趣的维基百科页面来增加Wiki-Slack攻击的攻击面，从而毁坏它，” eSentire表示。

原文始发于微信公众号（知机安全）：恶意广告最新手法：伪装Windows门户传播恶意安装工具