New malware known as “LOBSHOT” distributed using Google Ads allows hackers to stealthily take over infected Windows devices using hVNC.

Earlier this year, BleepingComputer and many cybersecurity researchers reported a dramatic increase in threat actors use Google ads to spread malware in search results.

These ad campaigns impersonated websites for 7-ZIP, VLC, OBS, Notepad++, CCleaner, TradingView, Rufus and many more applications.

However, these sites pushed malware instead of distributing legitimate applications, including Gozi, RedLine, Vidar, Cobalt Strike, SectoRAT and the Royal ransomware.

LOBSHOT distributed by Google ads

In a new report from Elastic Security Labs, researchers have revealed that a new remote access Trojan named LOBSHOT is being distributed through Google Ads.

These ads promoted legitimate AnyDesk remote management software, but led to a bogus AnyDesk site on amydeecke[.]website.

This site pushed a malicious MSI file that executed a PowerShell command to download a DLL from download-cdn[.]com, a domain historically associated with TA505/Clop ransomware gang.

This site pushed a malicious MSI file that executed a PowerShell command to download a DLL from download-cdn[.]com, a domain historically associated with TA505/Clop ransomware gang.

However, Proofpoint threat researcher Tommy Madjar previously told BleepingComputer that this domain had changed ownership in the past, so it’s unclear if TA505 is still using it.

The downloaded DLL file is the LOBSHOT malware and will be saved in the C:\ProgramData folder and then executed by RunDLL32.exe.

“We have observed over 500 unique LOBSHOT samples since last July. The samples we have observed are compiled as 32-bit DLLs or 32-bit executables typically ranging around 93 KB to 124 KB,” explains the Elastic Security Labs Report.

Once executed, the malware checks to see if Microsoft Defender is running and, if detected, terminates execution to prevent detection.

However, if Defender is not detected, the malware will configure registry entries to start automatically when logging into Windows and then transmit the infected device’s system information, including running processes. execution.

The malware will also scan for 32 Chrome cryptocurrency wallet extensions, nine Edge wallet extensions, and 11 Firefox wallet extensions.

After listing the extensions, the malware will execute a file in C:\ProgramData. However, since this file did not exist in their analysis, Elastic does not know if it is used to steal extension data or for other purposes.

While the theft of cryptocurrency extensions is common, Elastic also discovered that the malware included an hVNC module, allowing threat actors to discreetly gain remote access to an infected device.

Stealth Control of Victim Devices

hVNC, or hidden virtual network computingis VNC remote access software modified to control a hidden desktop on the infected device rather than the main desktop used by the device owner.

This allows a hacker to remotely control a Windows desktop computer without the victim knowing it is happening.

According to Elastic, LOBSHOT deploys an hVNC module that allows threat actors to control the hidden desktop using their mouse and keyboard as if they were in front.

“At this point, the victim machine will start sending screenshots that represent the hidden desktop that is sent to an attacker-controlled listening client,” Elastic explains.

“The attacker interacts with the client by controlling the keyboard, clicking buttons and moving the mouse, these capabilities provide the attacker with full remote control of the device.”

By using hVNC, threat actors have full control over the device, allowing them to execute commands, steal data, and even deploy other malware payloads.

As AnyDesk is commonly used in corporate environments, the malware is likely used for initial access to corporate networks and laterally spreading to other devices.

This type of access could lead to ransomware attacks, data extortion, and other attacks.