Jump to content
Login new information ×
Giveaway Contest ×
Login new information
Giveaway Contest
  • Security & Privacy News

    Fake VPN checker tool lets hackers bypass antivirus protections

    aum

    By aum,
    Published Date:

    • 366 views
    • 2 minutes
     Share
    • 366 views
    • 2 minutes

    Hackers are mixing cache smuggling with identity theft

     

    •     Attackers use fake Fortinet dialogs and social engineering to trick users into executing malware
    •     Cache smuggling hides malware in browser cache, bypassing download and PowerShell detection tools
    •     Malware is extracted from fake image files and deployed as FortiClientComplianceChecker.exe

     

    Hackers are using a combination of social engineering, cache smuggling, identity theft, and straight-up bluffing, to bypass common security protections and deploy malware onto victim’s computers, experts have said.

     

    Security researchers Expel, as well as an independent researcher with the alias P4nd3m1cb0y, observed websites pretending to be a pop-up dialog from Fortinet VPN’s “Compliance Checker”.

     

    There seems to be no such thing, other than the ability to configure the FortiClient Compliance Profile within FortiOS. In any case, that dialog instructs the victim to copy what appears to be a path to a file installed on the hard drive, and paste it in File Explorer.

     

    Used by ransomware actors

     

    The path is actually padded with more than 100 spaces, to hide its true purpose - to run a PowerShell command. At the same time, the phishing website executed a JavaScript that instructed the browser to fetch an image and cache it on the file system. This file is not an actual image, but rather hidden malware.

     

    "This technique, known as cache smuggling, enables the malware to bypass many different types of security products," the researchers explained.

     

    "Neither the webpage nor the PowerShell script explicitly download any files. By simply letting the browser cache the fake "image," the malware is able to get an entire zip file onto the local system without the PowerShell command needing to make any web requests."

     

    "As a result, any tools scanning downloaded files or looking for PowerShell scripts performing web requests wouldn't detect this behavior."

     

    The script then scans each cache file for content that’s actually a .ZIP file stored in the fake image, and extracts it to FortiClientComplianceChecker.exe - the actual malware. There was very little talk about who the attackers were, or the victims, but apparently some ransomware actors have already started deploying this tactic in their attacks.

     

    Source

    • phen0men4, Mutton and Adenman
    • Like 2
    • Thanks 1
     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...