Security News Ars Technica used in malware campaign with never-before-seen obfuscation

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,101
Ars Technica was recently used to serve second-stage malware in a campaign that used a never-before-seen attack chain to cleverly cover its tracks, researchers from security firm Mandiant reported Tuesday.

A benign image of a pizza was uploaded to a third-party website and was then linked with a URL pasted into the “about” page of a registered Ars user. Buried in that URL was a string of characters that appeared to be random—but were actually a payload. The campaign also targeted the video-sharing site Vimeo, where a benign video was uploaded and a malicious string was included in the video description. The string was generated using a technique known as Base 64 encoding. Base 64 converts text into a printable ASCII string format to represent binary data. Devices already infected with the first-stage malware used in the campaign automatically retrieved these strings and installed the second stage.

“This is a different and novel way we’re seeing abuse that can be pretty hard to detect,” Mandiant researcher Yash Gupta said in an interview. “This is something in malware we have not typically seen. It’s pretty interesting for us and something we wanted to call out.”

The image posted on Ars appeared in the about profile of a user who created an account on November 23. An Ars representative said the photo, showing a pizza and captioned “I love pizza,” was removed by Ars staff on December 16 after being tipped off by email from an unknown party. The Ars profile used an embedded URL that pointed to the image, which was automatically populated into the about page. The malicious base 64 encoding appeared immediately following the legitimate part of the URL. The string didn’t generate any errors or prevent the page from loading.


Full report by Mandiant researchers: https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware
 

brambedkar59

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,097
I was gonna say something but this comment on Ars perfectly describes what I intended to say.

"The whole thing is just bizarre to me. The URL only affected people who were infected with malware already, it was harmless to anyone else. But if you already infected them with malware relying on them visiting a specific URL to trigger a payload seems incredibly awkward and stupid."
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
I was gonna say something but this comment on Ars perfectly describes what I intended to say.

"The whole thing is just bizarre to me. The URL only affected people who were infected with malware already, it was harmless to anyone else. But if you already infected them with malware relying on them visiting a specific URL to trigger a payload seems incredibly awkward and stupid."
Might have been a proof of concept trial.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
I think that the Madiant researchers tried to show a novel way of abusing legal websites that can be pretty hard to detect. So, the payloads can survive undetected on the web and can be accessed by malware. Users cannot be infected by visiting the abused websites, but those legal websites can be a part of a successful attack.
In this way, the malicious code is not stored in the initial malware and the initial malware does not contain malicious URLs. The code is updated (after execution) from a legal website. Such malware has a great chance of bypassing AV detection.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top