Threat Actors Hijacking Websites To Deliver .NET-Based Malware

Summary: Clearlake is a cyber threat operation that distributes fake antivirus software, tricking users into believing their systems are infected, while also delivering .NET-based malware through hijacked websites. This sophisticated operation utilizes legitimate platforms for malware distribution, making detection challenging for cybersecurity experts and users alike.

Threat Actor: Clearlake | Clearlake
Victim: Internet Users | Internet Users

Key Point :

• Clearlake employs fake antivirus software to manipulate users into paying for non-existent malware removal.
• The operation hijacks legitimate websites to distribute .NET-based malware, complicating detection efforts.
• Utilization of free code hosting services like GitHub and Bitbucket allows attackers to blend in with normal developer activity.
• URL shortening services are used to obscure malicious links, increasing the likelihood of user clicks.
• Cybersecurity experts emphasize the need for vigilance against deceptive update prompts and links from any source.

Clearlake is a cyber threat operation that distributes fake antivirus software to make users perceive their system as infected.

Sometimes, malicious software can be designed to ask for payment to remove it, or it installs more malware that steals sensitive data or causes further damage to the victim’s system.

Cybersecurity analysts at Avast Threat Labs recently identified threat actors actively hijacking websites to deliver .NET-based malware.

Hijacking Websites To Deliver .NET-Based Malware

Often, then .NET malware is used by threat actors as this helps them create complex and obscure code that is difficult to detect.

The extensive set of libraries within the .NET framework allows for quick development combined with easy integration of malicious functions while its compatibility with Windows OS makes it popular among cybercriminals targeting a diverse range of audiences.

The ClearFake initiative is a highly sophisticated online security threat that emerged recently through a malware distribution avenue.

This operation involves penetrating legitimate websites, which are then used as platforms for malware without the owners’ knowledge.

The malware is targeted specifically at .NET framework, indicating a focus on Windows and probably exploiting bugs within this common development platform.

What distinguishes ClearFake from other campaigns of its kind is its intelligent utilization of free code hosting services such as GitHub and Bitbucket.

Attackers use these platforms to host, distribute, and maybe even update the payloads of their malware.

It makes it almost indistinguishable from normal developer activity, making it difficult for security systems to detect and block the malware.

Moreover, the URL shortening services like “http://redr[.]me” are employed by the campaign, which adds an extra layer of confusion.

These shortened links make detection efforts harder, as they may increase click-through rates and obfuscate the malicious URLs’ real destination.

Clearlake is a serious challenge for cybersecurity experts and ordinary internet users as it exploits these legal web services.

Besides this, the smart move used during the campaign is an indication of how new cyber threats are becoming even more complex, consequently necessitating increased vigilance against links from any source, better web filters, and awareness of the misuse of legitimate online resources for illegal purposes.

Cybersecurity researchers strongly urged users to remain vigilant and warned of the pages asking them to update their web browsers.

IoCs

• infected webpage: stoicinvesting[.]com
• payload URL: dais7nsa[.]pics/endpoint
• binance contract: 0xa6165aa33ac710ad5dcd4f4d6379466825476fde
• GitHub repo: github[.]com/BrowserCompanyLLC/-12
• Bitbucket repos: bitbucket[.]org/shakespeare1/workspace/projects/

Source: https://cybersecuritynews.com/web-hijack-dotnet-malware