Hidden Financial Trojans and Info Stealers Delivered via Google Ads
In another example of how threat actors abuse Google Ads to serve malware, attackers have been observed leveraging a technique to deliver a new Windows-based financial trojan and information stealer called LOBSHOTS.
“LOBSHOT continues to rack up victims while remaining under the radar,” Elastic Security Labs researcher Daniel Stepanic said in an analysis. published last week.
“One of LOBSHOT’s core capabilities is around the hVNC (Hidden Virtual Network Computing) component. This type of module allows direct, unobserved access to machines.”
The American-Dutch company associated the type of malware with a threat actor known as TA505 based on the infrastructure historically connected to the group. TA505 is a financially motivated electronic crime syndicate with overlapping activity groups tracked under the names Evil Corp, FIN11, and Indrik Spider.
This latest development is significant because it is a sign that TA505, which is related to the Dridex banking trojan, is once again expanding its malware arsenal to commit data theft and financial fraud.
LOBSHOT, with early samples since July 2022, is distributed via rogue Google ads for legitimate tools like AnyDesk hosted on a network of similar landing pages maintained by operators.
The malware incorporates dynamic import resolution (i.e., resolves required Windows API names at runtime), anti-emulation checks, and string obfuscation to avoid detection by security software.
Once installed, it makes Windows Registry changes to set persistence and siphons data from more than 50 cryptocurrency wallet extensions that reside in web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.
LOBSHOT’s other notable features revolve around its ability to remotely access compromised hosts via hVNC module and silently perform acts on him without attracting the victim’s attention.
“Threat groups continue to use malvertising techniques to disguise legitimate software with backdoors such as LOBSHOT,” said Stepanic.
“This type of malware appears small, but ultimately packs significant functionality that helps threat actors move quickly during the early access stage with fully interactive remote control capabilities.”
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
The findings also underscore how an increasing number of adversaries are adopting malvertising and search engine poisoning (SEO) as techniques to redirect users to bogus websites and download trojan installers of popular software.
According to data from and feelthe threat actor behind GootLoader has been linked to a series of attacks targeting law firms and corporate law departments in the US, Canada, UK and Australia.
GootLoader, active since 2018 and which served as the initial access-as-a-service operation for ransomware attacks, implemented SEO poisoning to lure victims seeking agreements and contracts to infected WordPress blogs that lead to links containing malware.
As well as implementing geofencing to target victims in specific regions, the attack chain is designed so that the malware can only be downloaded once per day from the hijacked site to avoid discovery by incident responders.
GootLoader’s use of the IP address method to filter out hacked victims, according to eSentire, could be used against it to block end users’ IP addresses in advance and prevent organizations from potential infection.