News and Threat Analysis,  Tools, Tricks and More

GAMING WEBSITE CAUGHT DELIVERING TROJANS

Have you ever been to a site which shows an advertisement stating that “This domain is up for sale.”? Answer must be Yes, everyone as visited such websites but by chance! Most probably, when you see such a website, you just exit from that URL and surf to another website. But some have other type of mind setup.

We all know that how domain name plays an important role in SEO for your website. Infact, good domain name make the visitors come back to your website or sometime a domain name of yours might inspire someone. So, if you by chance reached a site which states that this domain is up for sale, some webmasters try to grab that domain name because the popularity of that domain name can make them and their website popular.

When a webmaster clicks on the URL to buy that domain, he is then redirected to a website where auctioning of that domain name is already going on. Then as a trend, the webmaster also make his offer and if there is a match, the domain get sold.

But Hold on, its not that easy! Bad actors are too present in the same environment as you are. Some researchers found out a campaign that is taking advantage of this redirection to deliver malware to your devices and then exposing you at a next level. Let’s see what exactly is behind this !

REDIRECTING TO A MALICIOUS SITE

Some researchers have come across a campaign that is being run by bad actors delivering malware through malvertising. Malvertising (Malicious Advertising) is a concept of delivering malware through the medium of advertisements. So here, bad actors targets a gaming tool website through where they deliver malware to the victim’s device.

The gaming website here is that of Razor Enhanced. It is a gaming Ultima Mapper that displays all the features available to a gamer. Millions of gamers have downloaded this tool across the world. So the trick lies here is that when a user visits their official site to download an updated version of this tool which is razorenhanced.net, in the background some packages are being transferred from a domain name razorenhanced.org. Here is the proof for that:

Until now, there is nothing malicious or suspicious here. But when you visit this domain razorenhanced.org then you find some different stuff. As stated by WHOIS- domain information provider, this domain name is no more owned by the official Razor Enhanced Community, rather it is up for sale on the auction community.

When you visit this domain name, you will see a stub of services which is up for sale. When you click on any of the services available on this auctioning site, the user will be redirected to a malicious website.

As experimented by the researchers, a MAC OS user got redirected to a website which downloads the Shlayer Trojan that only targets MAC OS users. This Shlayer Trojan is so dangerous that it transfers all the information available to the Command and Control Server and encrypts many of the victim’s documents.

Based on the analysis, the researchers also found out that this website show different advertisements based on user and when the user clicks on the advertisements, the user got redirect to a different website based on their geo-location and thus different trojan get downloaded to their device.

CONCLUSION

We all known how malvertising is becoming a big problem for all the ad publishers out there in the market. For the sake of making more money, many times publishers register themselves with such publisher which have weak security checkup and thus deliver malware to their readers or user. It is therefore always suggested to always use top publisher networks like Adsense, Media.net, etc.