Downloadable content has also changed. Now, a potential victim is presented with a CAPTCHA dialogue, supposedly pulled from the Cloudflare server.
When you enter any value in the specified field (even the correct one), a hint pops up: to gain access to the site, you must complete the verification; if you have any problems, download our software so you don’t waste time on tests anymore.
Clicking on the inserted Download button downloads the .iso file, followed by unpacking the malicious content – CLOUDFLA.EXE or Cloudflare_security_installer.exe. To reinforce the illusion of legitimacy and divert attention, the Google Chrome update process is launched in the system: it is noteworthy that the updater uses the Russian language.
Meanwhile, RAT, the NetSupport remote administration tool favoured by SocGholish ransomware, is being installed into the system in the background. This payload, according to analysts, has remained the same. However, only two dozen antiviruses from the VirusTotal collection (as of September 15) recognize it.
In addition to the RAT, the victim, as before, receives a Racoon infostealer . Jerome Segura from Malwarebytes has a different opinion about the malware – the expert believes that this is an Amadey Trojan with a C2 server in the States. Kaspersky products and some other scanners detect a malicious kit with the verdict “banking Trojan” – it is possible that the infection can result in financial losses.
Sucuri experts recorded a similar attack but using another fake CloudFlare page – a warning about blocking access.
At the same time, a Trojan file weighing 669.9 MB was offered for download. Apparently, the author of the attack was trying to bypass antiviruses in this way, which usually skip large files due to the size limit. The payload also included a note advising to run the executable, ostensibly to clean the system registry, but then the malware could be detected using behavioural analysis and heuristics.
Analysts also noted the case of hosting a payload on GitLab. The fraudulent account has already been blocked.
Catch up on more articles here
Follow us on Twitter here