Fake MSI Afterburner website promoted via Google ads leads to Malware infostealer

[NoVirusThanks]

Content source

https://twitter.com/apivoid/status/1594365925876125696

We've just found a fake MSI Afterburner website promoted via Google Ads (first result on first page) when you search "msi afterburner" that leads to malware infostealer:



The "Download Afterburner" button points to a Google Drive URL that directly downloads the "MSI Afterburner.zip" file, that contains the malicious "MSI Afterburner.exe" file.

Pay always attention from where you download the software and always check the website domain name that matches exactly the official website.

I thought it would be useful to share it here too.

 

[blackice]

Hasn’t this happened before!? What the hell is google doing with all that machine learning!?

 

[OTTO]

Kaspersky thinks website safe
4mgv7ce.png

Yet even without clicking on the website, kaspersky came with a warning
f8z15w2.png

How can a website throw a trojan at me without clicking on it ? Besides i am on google. Damn scary for me.
Whats strange is kaspersky can detect malware but didnt add website to malicious category yet. Perhaps other than stealer, there is also risk of infecting yourself just by going to that website.

edit: I visited website with sandboxie and downloaded file. Kaspersky detected infostealer
Component: File Anti-Virus
Result description: Deleted
Type: Trojan
Name: HEUR:Trojan-Banker.Win32.Bandra.gen
Precision: Heuristic Analysis
Threat level: High
Object type: File
Object name: MSI Afterburner.exe

So actually there are two malwares in that website. One of them infects you the moment you visit and second one is a infected zip file

 

[SeriousHoax]

Found an even better one the other day, where there was no sneak letter change was involved. The site name seemed very legit so that one was even more convincing. When I found it, signature wise it was only detected by Microsoft Defender but before that some damage was already done as some MD users were already affected by it (Found on Reddit) before MD created a signature (post-infection signature probably). The other one I tested was BD Free, which very quickly detected it by its behavior blocker after execution.
Cases like these are one more example of why adblockers are so important.

 

[Kongo]

Blocked by my hardware firewall with Geo-IP filtering (Russian server IP) and blocked by NextDNS (Newly Registered Domains)
G Data doesn't detect the website. Very important statement of @SeriousHoax to use a good adblocker and not only rely on your antivirus protection.

 

[Stenographers]

Thinking of this from the perspective of my users, how do I go about getting the average Joe protected against this? Obviously the fact that they don't have local admin will stop them from running it. But then you have ransomware that doesn't need local admin. We do have a system to allow/blocklist apps, and only those set to allow can execute. So I suppose that would stop it. And we do deploy an ad blocker company wide, so there is another road block. But I need layered security. Anyone think of any vectors I haven't covered in the context of this attack?

 

[Kongo]

Thinking of this from the perspective of my users, how do I go about getting the average Joe protected against this? Obviously the fact that they don't have local admin will stop them from running it. But then you have ransomware that doesn't need local admin. We do have a system to allow/blocklist apps, and only those set to allow can execute. So I suppose that would stop it. And we do deploy an ad blocker company wide, so there is another road block. But I need layered security. Anyone think of any vectors I haven't covered in the context of this attack?

Already talked about NextDNS above and I actually think that it can especially be effective in a small business environment. Some features that could come in handy for your employees:

Spoiler: Protections

I'm personally just a big fan of NextDNS but there are also other effective solutions out there. I just think that all the controls that NextDNS provides are especially good if you are an admin in a company. So you can manage multiple systems in your corporate network.

NextDNS: NextDNS

NextDNS plans for business: Pricing - NextDNS

 

[NoVirusThanks]

Blocking unknown and unsigned applications on user space will block it, example with OSArmor:

 

[Zero Knowledge]

Agreed with previous posters. One of the first things any user should do on a new computer/laptop/tablet/mobile is install NextDns, Adguard or/+ uBlock Origin.

 

[show-Zi]

Thinking of this from the perspective of my users, how do I go about getting the average Joe protected against this? Obviously the fact that they don't have local admin will stop them from running it. But then you have ransomware that doesn't need local admin. We do have a system to allow/blocklist apps, and only those set to allow can execute. So I suppose that would stop it. And we do deploy an ad blocker company wide, so there is another road block. But I need layered security. Anyone think of any vectors I haven't covered in the context of this attack?

I think it's a very difficult problem. Finding it by searching means that the user is actively searching for the target software by name. To put it in extreme terms, it leans toward defeat at the point of searching.
I still think the best pretreatment is to hide it from view with ad blocking or DNS.

 

[Stenographers]

Already talked about NextDNS above and I actually think that it can especially be effective in a small business environment. Some features that could come in handy for your employees:

Spoiler: Protections

View attachment 270821

View attachment 270822

View attachment 270823

I'm personally just a big fan of NextDNS but there are also other effective solutions out there. I just think that all the controls that NextDNS provides are especially good if you are an admin in a company. So you can manage multiple systems in your corporate network.

NextDNS: NextDNS

NextDNS plans for business: Pricing - NextDNS

This is great, looking into this now. Thanks!

 

[Stenographers]

I think it's a very difficult problem. Finding it by searching means that the user is actively searching for the target software by name. To put it in extreme terms, it leans toward defeat at the point of searching.
I still think the best pretreatment is to hide it from view with ad blocking or DNS.

I think my best bet is to consider it at that point a training problem. User should be reaching out to IT for anything relating to maintenance on the computer, and that needs to be communicated with them when their hired. Maybe I'll point this out as an example as to why IT handles these things.

 

[SeriousHoax]

Really disappointed with Kaspersky.
I shared a phishing site discovered by APIVoid aka @NoVirusThanks to ESET, Bitdefender and Kaspersky.

ESET didn't block initially, BD said the site is clean, Kaspersky gave a weird reply saying,

Thank you for sending a request to Kaspersky!
Please note, this site can only be blocked by a legal decision.

Wait what? Legal decision for blocking a fake store?
I told it to one of my friends who expertise in finding and reporting these type of phishing sites. He immediately said,

This is bull****. Kaspersky is useless. If there is a legal decision, they will take the site down. People install security products to be protected before the legal forces take action. If they get involved they will take the whole network down, why do you need kaspersky then.

I fully agree with him.
Anyway, in mere 5 minutes later, he showed me some info which very clearly indicates that the website is a scam. Too many obvious red flags. After that he sent his findings to Bitdefender's support mail which he always does, and I told him to report to ESET also, and he did.
The next morning, I saw ESET started detecting it as phishing and today Bitdefender replied to him and has started blocking it as well.
And there we have Kaspersky, saying for the second time to me that,

We do not block suspicious shops without legal decision.

Absolutely ridiculous

 

[Miyagi]

Kaspersky detecting now.

 

[SeriousHoax]

Kaspersky detecting now.

View attachment 270926

If you're referring to my last comment, then no. This is a different one. This one was initially shared by the OP. My comment is related to another one. Check my comment.

 

[Miyagi]

Sorry, my bad SeriousHoax. You are right.

 

[harlan4096]

After 2 days still ESET detects that supposed phishing site, weird: VirusTotal

I'm still waiting for K. analyst final verdict:

Their reply could take until 2 or 3 days...

 

[SeriousHoax]

After 2 days still ESET detects that supposed phishing site, weird: VirusTotal

I'm still waiting for K. analyst final verdict:

View attachment 270979

Their reply could take until 2 or 3 days...

Yeah, it's a fake store, so ESET started detecting it after it was reported in details. BD also detects it even though it's not showing in Virustotal. Kaspersky probably haven't replied to you yet because it's the weekends. But as I said, I already got multiple same/similar replies from their Senior Web Content Analyst. You are likely to get the same reply also.

 

[NoVirusThanks]

More fake MSI Afterburner websites promoted on search results:

 

[plat]

Guru of 3D says:

If you have a new graphics card or need to reinstall MSI Afterburner, make sure you download it through MSI's website or at Guru3D.com (we are the creators of this software) rather than a third-party distributor.

When using Google, carefully examine the website's URL before clicking. Use common sense and never ever download software from another party, even if you consider them trusted, as they could be unknowingly distributing malware.

Fake MSI Afterburner Sites Inject Coin-Miner Into Software installer

We post this information so clearly on our download pages; the only two official places to download MSI AfterBurner from are Guru3D.com and MSI.com...

www.guru3d.com

.