A malware campaign that has been underway since the start of the year has recently shifted gears from exploit kits to social engineering to target consumers of adult content.
Operators are using an old trick to distribute a variant of ZLoader, a banking Trojan that made a comeback earlier this year after an absence of nearly two years, now used as an information thief.
Not the video you want
Named Malsmoke by security researchers, the campaign focuses on high traffic adult portals. Some websites, like xHamster, attract hundreds of millions of monthly visitors. Another site is Bravo Porn Tube, with over 8 million visitors each month.
Malwarebytes has been monitoring the Malsmoke campaign year-round by releasing Smoke Loader – a malware dropper – through the Fallout Exploit Kit until its trail cools on October 18.
The operators, however, had not given up. They had switched to a new technique that works on all web browsers: a new malicious campaign that uses “a decoy page full of adult images pretending to be movies.”
By using a fake video on an adult website, they tricked visitors into playing it. The deceptive file would open in a new browser window and instead of images, victims would get a pixelated view and a few seconds of audio to keep them drawn.
After a few seconds, victims would see an overlay message telling them that the Java plug-in must be installed for the video to play properly.
This is an old trick that dates back to the days when it was common for multimedia data streams to be encoded with various codecs (compression-decompression software). Such media could not be played without the correct codec installed.
Back then, there was a plethora of bogus codecs and media players, many of which were malicious. Adware and malware would be distributed using this method.
Malsmoke operators specifically created the grainy videos, to make it look like software is missing. However, the Malwarebytes researcher notes in his report that showing a Java update as a solution to video streaming issues is an odd choice as it is typically used for other tasks.
The researchers linked the old Malsmoke campaigns to the new one after analyzing network metrics and noting that the same templates for decoy websites were used in both cases.
Additionally, the cybercriminals used an email address to register a new domain for the new campaign that was already associated with other domains used in previous operations.
During the payload analysis, the researcher discovered that the fake Java Update is a signed installer that mostly contains legitimate libraries and executable files.
One of them – HelperDll.dll – downloaded an encrypted variant of ZLoader (also known as Zbot, Zeus Sphinx, Terdot, and DELoader) and deployed it as the final payload.
The malware went silent in early 2018, but has reappeared in over 100 email campaigns in the six months since December 2019. This is likely a fork of the original threat that lacks advanced functionality.
The current variant of ZLoader has retained the main functions and uses web injections to steal credentials, banking information and sensitive details stored in browsers (cookies, passwords).
By adopting this tactic, Malsmoke operators have broadened their reach to an audience of millions of potential victims. This change is a huge leap given that a successful compromise via exploit kits requires Internet Explorer to be anything but buried.
Malwarebytes provides a list of indicators of compromise for the adult sites used in this campaign as well as the decoys and command and control centers.