Fake MSI Afterburner website promoted via Google ads leads to Malware infostealer

NoVirusThanks

From NoVirusThanks
Thread author
Verified
Developer
Well-known
Aug 23, 2012
292
We've just found a fake MSI Afterburner website promoted via Google Ads (first result on first page) when you search "msi afterburner" that leads to malware infostealer:



The "Download Afterburner" button points to a Google Drive URL that directly downloads the "MSI Afterburner.zip" file, that contains the malicious "MSI Afterburner.exe" file.

Pay always attention from where you download the software and always check the website domain name that matches exactly the official website.

I thought it would be useful to share it here too.
 

OTTO

Level 1
Verified
Jul 18, 2015
26
Kaspersky thinks website safe
4mgv7ce.png

Yet even without clicking on the website, kaspersky came with a warning
f8z15w2.png

How can a website throw a trojan at me without clicking on it ? Besides i am on google. Damn scary for me.
Whats strange is kaspersky can detect malware but didnt add website to malicious category yet. Perhaps other than stealer, there is also risk of infecting yourself just by going to that website.

edit: I visited website with sandboxie and downloaded file. Kaspersky detected infostealer
Component: File Anti-Virus
Result description: Deleted
Type: Trojan
Name: HEUR:Trojan-Banker.Win32.Bandra.gen
Precision: Heuristic Analysis
Threat level: High
Object type: File
Object name: MSI Afterburner.exe

So actually there are two malwares in that website. One of them infects you the moment you visit and second one is a infected zip file
 
Last edited:

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Found an even better one the other day, where there was no sneak letter change was involved. The site name seemed very legit so that one was even more convincing. When I found it, signature wise it was only detected by Microsoft Defender but before that some damage was already done as some MD users were already affected by it (Found on Reddit) before MD created a signature (post-infection signature probably). The other one I tested was BD Free, which very quickly detected it by its behavior blocker after execution.
Cases like these are one more example of why adblockers are so important.
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,479
Blocked by my hardware firewall with Geo-IP filtering (Russian server IP) and blocked by NextDNS (Newly Registered Domains)
G Data doesn't detect the website. Very important statement of @SeriousHoax to use a good adblocker and not only rely on your antivirus protection.
 

Stenographers

Level 2
Nov 11, 2022
48
Thinking of this from the perspective of my users, how do I go about getting the average Joe protected against this? Obviously the fact that they don't have local admin will stop them from running it. But then you have ransomware that doesn't need local admin. We do have a system to allow/blocklist apps, and only those set to allow can execute. So I suppose that would stop it. And we do deploy an ad blocker company wide, so there is another road block. But I need layered security. Anyone think of any vectors I haven't covered in the context of this attack?
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,479
Thinking of this from the perspective of my users, how do I go about getting the average Joe protected against this? Obviously the fact that they don't have local admin will stop them from running it. But then you have ransomware that doesn't need local admin. We do have a system to allow/blocklist apps, and only those set to allow can execute. So I suppose that would stop it. And we do deploy an ad blocker company wide, so there is another road block. But I need layered security. Anyone think of any vectors I haven't covered in the context of this attack?
Already talked about NextDNS above and I actually think that it can especially be effective in a small business environment. Some features that could come in handy for your employees:

Screenshot 2022-11-20 231159.jpg

Screenshot 2022-11-20 231211.jpg

Screenshot 2022-11-20 231223.jpg

I'm personally just a big fan of NextDNS but there are also other effective solutions out there. I just think that all the controls that NextDNS provides are especially good if you are an admin in a company. So you can manage multiple systems in your corporate network.

NextDNS: NextDNS

NextDNS plans for business: Pricing - NextDNS
 

show-Zi

Level 36
Verified
Top Poster
Well-known
Jan 28, 2018
2,463
Thinking of this from the perspective of my users, how do I go about getting the average Joe protected against this? Obviously the fact that they don't have local admin will stop them from running it. But then you have ransomware that doesn't need local admin. We do have a system to allow/blocklist apps, and only those set to allow can execute. So I suppose that would stop it. And we do deploy an ad blocker company wide, so there is another road block. But I need layered security. Anyone think of any vectors I haven't covered in the context of this attack?
I think it's a very difficult problem. Finding it by searching means that the user is actively searching for the target software by name. To put it in extreme terms, it leans toward defeat at the point of searching.
I still think the best pretreatment is to hide it from view with ad blocking or DNS.
 

Stenographers

Level 2
Nov 11, 2022
48
Already talked about NextDNS above and I actually think that it can especially be effective in a small business environment. Some features that could come in handy for your employees:


I'm personally just a big fan of NextDNS but there are also other effective solutions out there. I just think that all the controls that NextDNS provides are especially good if you are an admin in a company. So you can manage multiple systems in your corporate network.

NextDNS: NextDNS

NextDNS plans for business: Pricing - NextDNS
This is great, looking into this now. Thanks!
 

Stenographers

Level 2
Nov 11, 2022
48
I think it's a very difficult problem. Finding it by searching means that the user is actively searching for the target software by name. To put it in extreme terms, it leans toward defeat at the point of searching.
I still think the best pretreatment is to hide it from view with ad blocking or DNS.
I think my best bet is to consider it at that point a training problem. User should be reaching out to IT for anything relating to maintenance on the computer, and that needs to be communicated with them when their hired. Maybe I'll point this out as an example as to why IT handles these things.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Really disappointed with Kaspersky.
I shared a phishing site discovered by APIVoid aka @NoVirusThanks to ESET, Bitdefender and Kaspersky.

ESET didn't block initially, BD said the site is clean, Kaspersky gave a weird reply saying,
Thank you for sending a request to Kaspersky!
Please note, this site can only be blocked by a legal decision.
Wait what? Legal decision for blocking a fake store?
I told it to one of my friends who expertise in finding and reporting these type of phishing sites. He immediately said,
This is bull****. Kaspersky is useless. If there is a legal decision, they will take the site down. People install security products to be protected before the legal forces take action. If they get involved they will take the whole network down, why do you need kaspersky then.
I fully agree with him.
Anyway, in mere 5 minutes later, he showed me some info which very clearly indicates that the website is a scam. Too many obvious red flags. After that he sent his findings to Bitdefender's support mail which he always does, and I told him to report to ESET also, and he did.
The next morning, I saw ESET started detecting it as phishing and today Bitdefender replied to him and has started blocking it as well.
And there we have Kaspersky, saying for the second time to me that,
We do not block suspicious shops without legal decision.
Absolutely ridiculous 😑
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
After 2 days still ESET detects that supposed phishing site, weird: VirusTotal

I'm still waiting for K. analyst final verdict:

View attachment 270979

Their reply could take until 2 or 3 days...
Yeah, it's a fake store, so ESET started detecting it after it was reported in details. BD also detects it even though it's not showing in Virustotal. Kaspersky probably haven't replied to you yet because it's the weekends. But as I said, I already got multiple same/similar replies from their Senior Web Content Analyst. You are likely to get the same reply also.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Guru of 3D says:

If you have a new graphics card or need to reinstall MSI Afterburner, make sure you download it through MSI's website or at Guru3D.com (we are the creators of this software) rather than a third-party distributor.

When using Google, carefully examine the website's URL before clicking. Use common sense and never ever download software from another party, even if you consider them trusted, as they could be unknowingly distributing malware.


.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top