www.malwarebytes.com Open in urlscan Pro
2600:9000:223c:7a00:16:26c7:ff80:93a1  Public Scan

Form analysis
2 forms found in the DOM

GET

<form id="search-form" onsubmit="submitSearchBlog(event)" method="get">
  <div class="searchbar-wrap-rightrail">
    <label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
      <input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
    </label>
    <button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query">
      <svg class="svg-icon svg-stroke-mwb-blue svg-search">
        <use href="/images/component-project/templates/blog/blog-svg.svg#svg-search"></use>
      </svg>
    </button>
  </div>
</form>

/newsletter/

<form class="newsletter-form form-inline" action="/newsletter/">
  <div class="email-input">
    <label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
      <input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email Address">
    </label>
    <input name="source" type="hidden" value="">
    <input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
  </div>
</form>

Text Content

       
Personal
Personal
 * Security & Antivirus
 * Free virus removal >
 * Malwarebytes Premium for Windows >
 * Malwarebytes Premium for Mac >
 * Malwarebytes for Chromebook >
 * Malwarebytes Premium for Android >
 * Malwarebytes Premium for iOS >
 * Malwarebytes Premium for Teams >
 * Malwarebytes Premium + Privacy VPN >
 * AdwCleaner for Windows >
 *  
   Online Privacy
 * Malwarebytes Privacy VPN >
 * Malwarebytes Browser Guard >

 * How can we help?

 * Have a current computer infection?
   
   CLEAN YOUR DEVICE NOW 

 *  

 * Try out Malwarebytes Premium, with a full-featured trial
   
   DOWNLOAD NOW  

 *  

 * Find the right solution for you
   
   SEE PERSONAL PRICING 

 *  

 * Activate, upgrade and manage your subscription in MyAccount
   
   SIGN IN TO YOUR ACCOUNT 

 *  

 * Get answers to frequently asked questions and troubleshooting tips
   
   VISIT OUR SUPPORT PAGE 


Business
Business
 * Solutions
 * BY COMPANY SIZE
 * Small Businesses
 *  1-99 Employees 
 * Mid-size Businesses
 *  100-999 Employees
 * Large Enterprise
 *  1000+ Employees
 * BY INDUSTRY
 * Education
 * Finance
 * Healthcare
 * Government

 * Products
 * CLOUD-BASED SECURITY MANAGEMENT
 * Endpoint Protection
 * Endpoint Protection for Servers
 * Endpoint Detection & Response
 * Endpoint Detection & Response for Servers
 * Incident Response
 * Nebula Platform Architecture
 * Mobile Security
 * CLOUD-BASED SECURITY MODULES
 * DNS Filtering
 * Vulnerability & Patch Management
 * Remediation Connector Solution
 * Application Block
 * SECURITY SERVICES
 * Managed Detection and Response 
 * Cloud Storage Scanning Service 
 * Malware Removal Service
 * NEXT-GEN ANTIVIRUS FOR SMALL BUSINESS
 * For Teams

 * Get Started
 *  * Find the right solution for your business
    * See business pricing
   
   --------------------------------------------------------------------------------
   
    * Don't know where to start?
    * Help me choose a product
   
   --------------------------------------------------------------------------------
   
    * See what Malwarebytes can do for you
    * Get a free trial
   
   --------------------------------------------------------------------------------
   
    * Our sales team is ready to help. Call us now
    * +49 (800) 723-4800

Pricing
Partners
Partners
 * Explore Partnerships

 * Partner Solutions
 * Resellers
 * Managed Service Providers
 * Computer Repair
 * Technology Partners
 * Contact Us

 * Partner Success Story
 * Marek Drummond
   Managing Director at Optimus Systems
   
   "Thanks to the Malwarebytes MSP program, we have this high-quality product in
   our stack. It’s a great addition, and I have confidence that customers’
   systems are protected."

 * See full story

Resources
Resources
 * Learn About Cybersecurity
 * Antivirus
 * Malware
 * Ransomware
 * Malwarebytes Labs – Blog
 * Glossary
 * Threat Center

 * Business Resources
 * Reviews
 * Analyst Reports
 * Case Studies
 * Press & News

 * Reports
 * 
   
   
   
   The State of Malware 2023 Report
   

 * See Report

Support
Support
 * Technical Support
 * Personal Support
 * Business Support
 * Premium Services
 * Forums
 * Vulnerability Disclosure
 * Report a False Positive

 *  Product Videos
 * 

 * Featured Content
 * 
   
   
   
   Activate Malwarebytes Privacy on Windows device.

 * See Content

FREE DOWNLOAD
CONTACT US
CONTACT US
 * Personal Support
 * Business Support
 * Talk to Sales
 * Contact Press
 * Partner Programs
 * Submit Vulnerability

COMPANY
COMPANY
 * About Malwarebytes
 * Careers
 * News & Press

SIGN IN
SIGN IN
 * MyAccount: manage your personal/Teams subscription >
 * Cloud Console: manage your cloud business products >
 * Partner Portal: management for Resellers and MSPs >

SUBSCRIBE


Threat Intelligence


FAKE SYSTEM UPDATE DROPS AURORA STEALER VIA INVALID PRINTER LOADER

Posted: May 9, 2023 by Jérôme Segura

Not all system updates mean well, and some will even trick you into installing
malware.

Malvertising seems to be enjoying a renaissance as of late, whether it is from
ads on search engine results pages or via popular websites. Because browsers are
more secure today than they were 5 or 10 years ago, the attacks that we are
seeing all involve some form of social engineering.

A threat actor is using malicious ads to redirect users to what looks like a
Windows security update. The scheme is very well designed as it relies on the
web browser to display a full screen animation that very much resembles what
you'd expect from Microsoft.

The fake security update is using a newly identified loader that at the time of
the campaign was oblivious to malware sandboxes and bypassed practically all
antivirus engines. We wrote a tool to 'patch' this loader and identified its
actual payload as Aurora stealer. In this blog post, we detail our findings and
how this campaign is connected to other attacks.


A CONVINCING "SYSTEM UPDATE"

Windows users are quite familiar with system updates, often interrupting hours
of work or popping up in the middle of an intense game. When that happens, they
just want to install whatever needs to be installed and get on with their day.

A threat actor is buying popunder ads targeting adult traffic and tricking
victims with what appears to a system security update.



Figure 1: A fake system update hijacks the screen

As convincing as it looks, what you see above is actually a browser window that
is rendered in full screen. This becomes more obvious when downloading the
update file named ChromeUpdate.exe.

Figure 2: The 'Chrome update' downloaded from the web browser


FULLY UNDETECTABLE (FUD) MALWARE

While the file name appears as ChromeUpdate.exe, it uses the Cyrillic alphabet
such that certain characters look similar but are different on disk. Its hex
representation is %D0%A1hr%D0%BEm%D0%B5U%D1%80d%D0%B0t%D0%B5.exe as can be seen
in the image below:



Figure 3: Hex encoding and Cyrillic alphabet

When we first ran the sample into a sandbox, we could not see anything obvious
or that it was even malicious. The file would simply run and exit quickly. Over
a couple of weeks, we collected nine different samples that looked more or less
the same.

We also noticed that the threat actor was uploading each of his new builds to
VirusTotal, a service owned by Google, to check if they were being detected by
antivirus engines. The first user to submit each new sample always uploaded them
from Turkey (country code TR) and in many instances the file name looked like it
had come fresh from the compiler (i.e. build1_enc_s.exe).



Figure 4: User submissions to VirusTotal

While VirusTotal is no replacement for a full endpoint security product, with
its 70 AV engines it is usually a good indicator to quickly check if a file is
malicious or not. For more than 2 weeks, the samples had 0 detection on VT and
it wasn't until a blog post by Morphisec that detections started to appear.
This new loader is called Invalid Printer and so far appears to have been used
exclusively by this threat actor to bypass security products.



Figure 5: VirusTotal detections coincide with blog release

We actually stumbled upon Morphisec's blog thanks to Threatray which identified
similarities with a file we submitted to their sandbox. The service's built-in
OSINT identified similar samples and linked them with security articles. 

Figure 6: Threatray analysis page


PATCHING THE LOADER

Invalid Printer performs a check on the computer's graphic card and specifically
its vendor ID which it compares against known manufacturers such as AMD, NVidia.
Virtual machines and sandboxes in general do not use real hardware and will fail
to pass the check.

We were able to patch the samples we had collected and identify their payload.
The patch consists of replacing the graphics card check with a random number and
always returning true, therefore allowing the file to run in any sandbox.

Figure 7: Python script to patch loader

The automated malware unpacking service from OpenAnalysis UnpacMe now supports
properly unpacking samples using the Invalid Printer loader. It allowed us to
determine what malware family is being distributed as well as indicators of
compromise. For example, one of our samples
(31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434) has the same
command and control server (94.142.138[.]218) as one mentioned in Morphisec's
blog.

Figure 8: UnpacMe results page

In this specific malvertising campaign, the payload used was the Aurora Stealer,
a popular piece of malware that is designed to harvest credentials from systems.


CAMPAIGN STATS

The threat actor is using a panel to track high level stats about visitors to
the fake system update web page. Based on the numbers from this panel, there
were 27,146 potential unique victims and 585 of them downloaded the malware
during the past 49 days.



Figure 9: Panel showing browser visits and downloads



Figure 10: Browser user-agents, IP addresses and geolocation


WAR AND RUSSIA REFERENCES

We believe there is a single threat actor behind this malvertising campaign and
others such as the one Morphisec uncovered. The malware author seems to take a
very high interest in creating FUD malware and constantly uploads it to
VirusTotal to verify, always using the same submitter profile.

We couldn't help but notice a possible reference to the war in Ukraine left
within the fake Chrome Update page and commented out:

Figure 11: Commented HTML code

Some of the websites belonging to this threat actor were not loading malware but
instead had a single YouTube video promoting the cities and landscapes of
Russia:

Figure 12: YouTube video about Russia in 12K HDR 

Additionally, we found some connections with tech support scams and even an
Amadey panel that also appears to belong to the threat actor.


PROTECTION

Malwarebytes already protected users from this malvertising campaign by blocking
the malicious ads involved. We detect the payloads as Spyware.Aurora.





Special thanks to Roberto Santos for help with the sample and binary patching.


INDICATORS OF COMPROMISE

Malvertising gate

qqtube[.]ru
194.58.112[.]173


Fake system update page

activessd[.]ru
chistauyavoda[.]ru
xxxxxxxxxxxxxxx[.]ru
activehdd[.]ru
oled8kultra[.]ru
xhamster-18[.]ru
oled8kultra[.]site
activessd6[.]ru
activedebian[.]ru
shluhapizdec[.]ru
04042023[.]ru
clickaineasdfer[.]ru
moskovpizda[.]ru
pochelvpizdy[.]ru
evatds[.]ru
click7adilla[.]ru
grhfgetraeg6yrt[.]site
92.53.96[.]119

Invalid Printer samples

d29f4ffcc9e2164800dcf5605668bdd4298bcd6e75b58bed9c42196b4225d590
5a07e02aec263f0c3e3a958f2b3c3d65a55240e5da30bbe77c60dba49d953b2c
193cec31ea298103fe55164ff6270a2adf70248b3a4d05127414d6981f72cef4
dac1bd40799564288bf55874543196c4ef6265d89e3228864be4d475258b9062
40b8acc3560ac0e1825755b3b05ef01c46bdbd184f35a15d0dc84ab44fa99061
31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434
398faa3aab8cce7a12e3e3f698bc29514c5b10a4369cc386421913e31f95cfdc
93b9199ca9e1ee0afbe7cf6acccedd39f37f2dd603a3b1ea05084ab29ff79df7
4c80bd604ae430864c507d723c6a8c66f4f5e9ba246983c833870d05219bd3e5

Aurora Stealer C2

103.195.103[.]54:443
94.142.138[.]218:4561

Amadey Stealer panel

193.233.20[.]29/games/category/Login.php

--------------------------------------------------------------------------------

Malwarebytes removes all remnants of ransomware and prevents you from getting
reinfected. Want to learn more about how we can help protect your business? Get
a free trial below.

TRY NOW

SHARE THIS ARTICLE

--------------------------------------------------------------------------------

COMMENTS



--------------------------------------------------------------------------------

RELATED ARTICLES

News | Personal


YOUTUBE IS TESTING AD BLOCKER DETECTION

May 12, 2023 - We take a look at YouTube's testing of ad blocking detection and
why it might not be popular with users.

CONTINUE READING 0 Comments

Threat Intelligence


UNCOVERING REDSTINGER - UNDETECTED APT CYBER OPERATIONS IN EASTERN EUROPE SINCE
2020

May 10, 2023 - We discovered a new interesting lure that targeted the Eastern
Ukraine region and started tracking the threat actor behind it.

CONTINUE READING 1 Comment

News


MICROSOFT VS GOOGLE SPAT SEES USERS ROLLING BACK SECURITY UPDATES TO FIX BROWSER
ISSUES

May 6, 2023 - We take a look at trouble brewing in browser land after a
controversial Windows update leaves Chrome fans without a useful feature.

CONTINUE READING 2 Comments

News


GOOGLE TAKES CRYPTBOT TO THE WOOD SHED

May 3, 2023 - We take a look at Google's efforts to shut down a particularly
nasty set of modified Chrome installs playing host to CryptBot malware.

CONTINUE READING 0 Comments

News


A WEEK IN SECURITY (APRIL 24 -30)

May 1, 2023 - The most interesting security related news of the week from April
24 till April 30

CONTINUE READING 0 Comments

--------------------------------------------------------------------------------

ABOUT THE AUTHOR

Jérôme Segura
Director of Threat Intelligence

A special interest for web threats.


Contributors


Threat Center


Podcast


Glossary


Scams


Write for Labs

Cyberprotection for every one.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.



Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle
12th Floor
Santa Clara, CA 95054

ADDRESS

One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus


What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland

   English
Legal
Privacy
Accessibility
Vulnerability Disclosure
Terms of Service


© 2023 All Rights Reserved

Select your language

 * English
 * Deutsch
 * Español
 * Français
 * Italiano
 * Português (Portugal)
 * Português (Brasil)
 * Nederlands
 * Polski
 * Pусский
 * 日本語
 * Svenska

New Buy Online Partner Icon Warning Icon Edge icon

This site uses cookies in order to enhance site navigation, analyze site usage
and marketing efforts. Please see our privacy policy for more information.
Privacy Policy

Cookies Settings Decline All Accept All Cookies



PRIVACY PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Privacy Policy
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

Cookies Details‎

PERFORMANCE AND FUNCTIONALITY

Performance and Functionality

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

Cookies Details‎

SOCIAL MEDIA

Social Media

These cookies are set by a range of social media services that we have added to
the site to enable you to share our content with your friends and networks. They
are capable of tracking your browser across other sites and building up a
profile of your interests. This may impact the content and messages you see on
other websites you visit.    If you do not allow these cookies you may not be
able to use or see these sharing tools.

Cookies Details‎

ANALYTICS

Analytics

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

Cookies Details‎

ADVERTISING

Advertising

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Cookies Details‎
Back Button


BACK



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

 * 
   
   View Cookies
   
    * Name
      cookie name

Decline All Confirm My Choices