Wiperware is a Trojan similar to ransomware, therefore mode of delivery is typically via established social engineering or phishing techniques. Once infected, there may even be a ransom note in a README.txt file. The aim is to fool the victim into thinking it is ransomware and pay the ransom. Nevertheless, any file affected by wiperware can never be recovered.
In other instances, the aim is to bring down critical infrastructure, thus there is no pretence to being ransomware. Once persistence is achieved, the malware will infect critical files one-by-one in order to inhibit particular infrastructure from functioning as intended.
These are delivered via phishing emails disguised as DHL shipping mails, invoices, ACH remittance forms, and so on. When the intended victim downloads the OneNote attachment, a malicious attachment in the form of a "notebook" is included. Threat actors place a "Double Click To View" banner over the notebook in order to load the attachment. When you click, the system will warn you about the dangers of opening attachments that could harm your system or data. Users usually ignore these, and if they click 'OK,' a RAT is downloaded from a C2 and installed. The Quasar RAT, AsyncRAT, and XWorm RAT are among the RATs being downloaded.
While some of the malicious apps have been removed, others are still active on the store. Below are the affected apps:
After installing and opening the app, it will contact a remote server which will reply with instructions on what to do. These instructions typically include phishing pages that will be displayed to unsuspecting users in an attempt to collect their sensitive information.
Malvertising can appear on any advertisement on any website, including those you visit on a regular basis. Malvertising typically installs a small piece of code that connects your computer to criminal command and control (C&C) servers. The server searches your computer for its location and what software is installed on it before deciding which malware to send you. In this campaign, malvertising is the most common method of distribution, which involves inserting malicious advertisements into popular search engines when unsuspecting users conduct searches. By clicking on such a link, a device will be infected with the MalVirt loader, which uses a KoiVM virtualizing protector to avoid detection and analysis by anti-malware software. The loader will then install the FormBook malware and a signed Microsoft Process Explorer driver, allowing it to perform actions with elevated privileges. FormBook can also hide its C2 (command and control) traffic behind bogus HTTP requests to various dummy domains.
The threat actors behind these types of attacks will typically conduct reconnaissance on a specific group, primarily to determine which websites they visit on a regular basis. These can be discussion forums, social media platforms, blogs, or websites aimed at a specific industry or type of professional. They then either infect those sites with malware or create malicious third-party sites to lure users to the site. If users fall for it, their devices will become infected with malware, granting the threat actor unauthorised access. If the user connects to their organization's network using the compromised device, the actor may gain un-authorised access to organizational systems as well. Some of the techniques observed in this attack include: drive-by downloads, in which targets at a watering hole may download malicious content without their knowledge, consent, or action; Malvertising, in which hackers inject malicious code into advertisements at a watering hole in order to spread malware to their prey; and zero-day exploitation, in which threat actors exploit zero-day vulnerabilities in a website or browser that watering hole attackers can exploit.
To stimulate the interest of potential victims, video tutorials on how to pirate sought-after software such as AutoCAD, Adobe Photoshop, Adobe Premiere Pro, and other similar paid-for software are created. These videos are created with AI and feature humans with facial features that research has shown other humans find trustworthy. The tutorials in these videos are frequently bogus and steer viewers to links in the description that lead to information-stealing malware like Raccoon, Vidar, and RedLine.
AI-generated YouTube videos can be used for malware distribution in several ways: