According to researchers, this campaign is backed by the same hack group that was previously involved in distributing the fake installer of the popular VSDC video editor, both through the program’s official website and through third-party directories. This time, hackers managed to gain administrative access to the CMS of a number of sites that began to be used in the infection chain. A script is inserted into the codes of pages of compromised resources, which redirects users to a phishing page disguised as an official Google resource.
The selection of users is based on geolocation and the definition of the user's browser. Target audience – visitors from the USA, Canada, Australia, UK, Israel and Turkey, using the Google Chrome browser. It is worth noting that the downloaded file has a valid digital signature similar to the signature of the fake NordVPN installer distributed by the same criminal group.
The infection mechanism is implemented as follows. When the program starts, a folder containing the utility files for remote administration of TeamViewer is created in the% userappdata% directory, and two SFX-protected archives are unpacked. In one of the archives there is a malicious msi.dll library that allows you to establish an unauthorized connection with an infected computer, and a batch file for launching the Chrome browser with the Google start page (.) Com. A script is extracted from the second archive to bypass the built-in antivirus protection of Windows OS. The malicious msi.dll library is loaded into memory by the TeamViewer process, simultaneously hiding its work from the user.
Using this backdoor, attackers are able to deliver payloads to infected devices in the form of other malicious applications. Among them have already been noticed:
- Keylogger X-Key Keylogger,
- Infostiller Predator The Thief,
- Trojan for remote control via RDP.