- Aug 17, 2014
" A new Mars Stealer campaign uncovered by Morphisec is using Google Ads advertising to rank cloned OpenOffice sites high on Canadian search results. "
Poisoning Google Search results with malicious ads (Morphisec)
OpenOffice is a once-popular open-source office suite now belonging to the Apache foundation and has been surpassed by LibreOffice, which started as its fork back in 2010.
However, OpenOffice still enjoys a respectable number of daily downloads from people who seek a free document and spreadsheet editor. Possibly, the threat actors didn’t clone the much more popular LibreOffice because that would result in a quick take-down due to numerous reports.
The OpenOffice installer on the phony site is, in reality, a Mars Stealer executable packed with the Babadeda crypter or the Autoit loader, so the victims are unknowingly infecting themselves.
Due to an error in the configuration instructions of the cracked version, the operator has exposed the victims’ 'logs' directory, giving full access to any visitor.
A log is a zip file containing data stolen by an information-stealing Trojan and uploaded to threat actors' command and control servers.
A newly launched information-stealing malware variant called Mars Stealer is rising in popularity, and threat analysts are now spotting the first notable large-scale campaigns employing it.