Security News > 2023 > May > LOBSHOT: A Stealthy, Financial Trojan and Info Stealer Delivered through Google Ads

In yet another instance of how threat actors are abusing Google Ads to serve malware, a threat actor has been observed leveraging the technique to deliver a new Windows-based financial trojan and information stealer called LOBSHOT. "LOBSHOT continues to collect victims while staying under the radar," Elastic Security Labs researcher Daniel Stepanic said in an analysis published last week.

The American-Dutch company attributed the malware strain to a threat actor known as TA505 based on infrastructure historically connected to the group.

The latest development is significant because it's a sign that TA505, which is associated with the Dridex banking trojan, is once again expanding its malware arsenal to perpetrate data theft and financial fraud.

LOBSHOT, with early samples dating back to July 2022, is distributed by means of rogue Google ads for legitimate tools like AnyDesk that are hosted on a network of lookalike landing pages maintained by the operators.

"These kinds of malware seem small, but end up packing significant functionality which helps threat actors move quickly during the initial access stages with fully interactive remote control capabilities."

GootLoader, active since 2018 and which functions as an initial access-as-a-service operation for ransomware attacks, employ SEO poisoning to entice victims searching for agreements and contracts to infected WordPress blogs that point to links containing the malware.

News URL

https://thehackernews.com/2023/05/lobshot-stealthy-financial-trojan-and.html