Fake downloads are being used to distribute password-stealing and keylogging malware

Researchers have found a new campaign that uses custom malware to collect victim's usernames, passwords, and other personal data.



Cyber attackers are tricking users into downloading three types of malware, including a malicious browser extension with the same capabilities as Trojan malware that provides attackers with usernames and passwords, as well as backdoor remote access to infected Windows PCs, using online advertisements for fake versions of popular software.

  • Cybersecurity experts at Cisco Talos, who have named the campaign 'magnat', have reported that the attacks distribute two types of custom-developed malware that appear to be undocumented.
  • More than half of the victims were from Canada, but there were also victims from Nigeria, Europe, the United States, and Australia. 

Researchers suspect that users are misled into installing the infection by malicious internet advertisements that deceive people into downloading fake installers for popular software. Users are most likely seeking legitimate copies of the software, but advertising directs them to harmful ones.

Fake versions of chat applications like Viber and WeChat, as well as fake installers for famous video games like Battlefield, are among the malware that users are deceived into installing.

How is this happening? 

Instead of installing the stated software, the installer downloads three types of malware:

Password stealer

  • Redline, a fairly well-known malware that steals all the usernames and passwords it discovers on the infected system, is the password stealer used in the attacks. Magnat has already disseminated Azorult, a separate password thief. Azorult, like many other types of malware, stopped operating correctly following the introduction of Chrome 80 in February 2020, prompting the transition to Redline. 


  • MagnatBackdoor looks to be a more customized version of malware that has been deployed since 2019, although it has gone silent for months at a time. It configures the infected Windows machine to allow stealthy remote desktop protocol (RDP) access, as well as installing a new user and scheduling the system to periodically ping the attackers' command and control server. The backdoor allows attackers to get remote access to the PC invisibly.

Malicious browser extension that allows keylogging and screenshots of the infected user's screen.

  • According to researchers, the payload is a downloader for a malicious Google Chrome extension known as MagnatExtension. The extension is not from the Chrome Extension Store and was supplied by the attackers. This extension includes a key logger, which records everything the user enters in the browser, as well as the ability to grab screenshots, steal cookies, and steal information put in forms directly from the web browser. All of this data is subsequently forwarded to the attackers.

The extension's capabilities have been compared to those of a banking Trojan by researchers. They believe the malware's ultimate goal is to collect user passwords, either to sell on the dark web or to exploit further by the attackers. MagnatBackdoor and MagnatExtension's cybercriminals have spent years creating and upgrading the malware, and this is committed to extending.



Researchers from Cisco Talos presume these ads are using ‘malvertising’ to contact visitors who are searching for software-related keywords and present them with links to download popular software. This sort of attack may be quite successful, and it necessitates the implementation of many levels of security controls, such as network filtering, security awareness training and, endpoint protection.


Credit: zdnet

Comments are closed