Elastic Security Labs reports that in recent months there has been an increase in Google ads being misused to distribute a new malware called "LOBSHOT". Based on the analysis, the experts attributed the campaign to the TA505 malware group associated with Dridex, Locky and Necurs malware.
The detected campaign is aimed at users who search Google for links to download various programs. In one case, a malicious ad promoting the AnyDesk application was found in Google search. The landing pages looked very similar to the original website and included a download button for the MSI installer. As soon as the victim pressed the button, the LOBSHOT malware was downloaded to the system and launched without the user's knowledge.
Experts have suggested that LOBSHOT is designed to steal funds, including cryptocurrencies. The backdoor also has the ability to steal information.
LOBSHOT is able to steal crypto from 32 Google Chrome wallet extensions, 9 Microsoft Edge wallet extensions, and 11 Mozilla Firefox wallet extensions. One of the main features of LOBSHOT is the use of the Hidden Virtual Network Computing (HVNC) component, which makes it difficult for antivirus solutions to detect.
The spread of LOBSHOT through malicious ad campaigns indicates that cybercriminals will continue to use this method to expand their attacks. Although this type of malware has not yet expanded its attack surface, it ultimately has features that help attackers act quickly at an early stage, allowing them to take full control of systems remotely.