Google advertisements have been used to distribute malware, including the LOBSHOT malware, which has remained undetected for months.
Cybercriminals use fake websites to lure unsuspecting users into downloading malware onto their systems. Researchers believe that the infrastructure behind the LOBSHOT malware belongs to TA505, a well-known cybercriminal group.
Furthermore, LOBSHOT offers direct and unobserved access to the machine, making it effective in bypassing fraud detection systems and is often built into many popular families as a plugin.
At the same time, once executed, LOBSHOT moves a copy of itself to the C:\ProgramData folder, spawning a new process using explorer.exe. It terminates the original process and deletes the original file. LOBSHOT has banking trojans, cryptocurrency, and information-stealing capabilities, making it useful for financial purposes.
Additionatlly, the malware targets 32 Chrome extensions, nine Edge wallet extensions, and 11 Firefox wallet extensions, allowing threat actors to steal cryptocurrency assets.
Malvertising campaigns remain popular among cybercriminals for distributing malware, indicating that they will continue to use this technique in the future.
LOBSHOT is an example of how malware such as this can seem small, but it packs significant functionality, allowing threat actors to move quickly during the initial stage and gain full control over systems remotely.
