The threat actors behind these types of attacks will typically conduct reconnaissance on a specific group, primarily to determine which websites they visit on a regular basis. These can be discussion forums, social media platforms, blogs, or websites aimed at a specific industry or type of professional. They then either infect those sites with malware or create malicious third-party sites to lure users to the site. If users fall for it, their devices will become infected with malware, granting the threat actor unauthorised access. If the user connects to their organization's network using the compromised device, the actor may gain un-authorised access to organizational systems as well. Some of the techniques observed in this attack include: drive-by downloads, in which targets at a watering hole may download malicious content without their knowledge, consent, or action; Malvertising, in which hackers inject malicious code into advertisements at a watering hole in order to spread malware to their prey; and zero-day exploitation, in which threat actors exploit zero-day vulnerabilities in a website or browser that watering hole attackers can exploit.
To stimulate the interest of potential victims, video tutorials on how to pirate sought-after software such as AutoCAD, Adobe Photoshop, Adobe Premiere Pro, and other similar paid-for software are created. These videos are created with AI and feature humans with facial features that research has shown other humans find trustworthy. The tutorials in these videos are frequently bogus and steer viewers to links in the description that lead to information-stealing malware like Raccoon, Vidar, and RedLine.
AI-generated YouTube videos can be used for malware distribution in several ways:
Such an attack usually starts with a phishing email, text message (also known as smishing), or even a direct message (DM) on a social media app that appears urgent and requires you to either click on a link that takes you to an external website or download a file attachment. This website is fraudulent and is intended to collect sensitive, potentially damaging information from the potential victim.
Another technique involves using a phone call, or vishing, to trick victims into disclosing sensitive information. In order to collect their information and compromise their accounts, the attacker would either call the victim or use an automated system to pretend to be calling from their bank.
The affected apps have been downloaded more than a combined 60 million times, and some of them include:
When an affected app is installed and started for the first time, it will request for certain permissions. The malicious library then registers the device and gets its configuration from a remote server which contains parameters that determine the level of data theft and ad fraud that will be perpetrated on the device.
The vulnerability CVE-2023-32243 allows for the changing of the password of any given user. This vulnerability occurs because the password reset function does not validate a password reset key and instead directly changes the password of the given user. So as long as the attacker(s) knows the username associated with the account, they can change the password, even if the particular account is an administrator. Therefore for this attack to be executed, the attacker must know the username for the targeted system for the malicious password reset.
This sophisticated and persistent malware toolkit begins by infiltrating target systems via numerous techniques and establishing a backdoor for remote access. It then connects to a remote command and control server, where it can conduct its malicious activities on the target. The Snake tool is designed to be undetectable and persistent, making it difficult to detect and remove from infected systems. According to report, the malware is deployed to external-facing infrastructure nodes on a network. From there, it uses other tools, and techniques, tactics, and procedures (TTPs) on the internal network to conduct additional exploitation operations.
Recently, over 50 countries in North America, South America, Europe, Africa, Asia, and Australia have snake infrastructure, including the United States and Russia.
