Pierluigi Paganini
March 05, 2020
Security experts from Kaspersky Lab discovered spotted a new attack technique used by crooks to distribute malware by tricking victims into installing a malicious “security certificate update” when they visit compromised websites.
We have already observed threat actors distributing malware masqueraded by legitimate software updates. The new technique differs from previous ones because visitors to infected
“
“We detected the infection on variously themed websites — from a zoo to a store selling auto parts. The earliest infections found date back to January 16, 2020.”
The compromised websites display a message claiming the website’s security certificate is expired and urge visitors to install a “security certificate update” to correctly view the content of the website.
The message is contained within
While the script is loaded, the URL bar still displays the legitimate address.
“The
Once the victim clicked on the update button, a file is downloaded (Certificate_Update_v02.2020.exe).
The executable unpacks and installs one of two malware variants to the victim, tracked as
The Mokes backdoor allows hackers to execute arbitrary commands on the victim’s computer, it works on Linux, Windows and also OS X.
Buerak is a Windows-based Trojan that implements backdoor capabilities and anti-analysis techniques.
Kaspersky experts included in their analysis the Indicators of Compromise (IoCs).
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, undersea cables)
[adrotate banner=”5″]
[adrotate banner=”13″]
