- Attackers use false tin -dialogues and social technique to trick users into performing malware
- Cache -smuggling hides malware in browser cache, bypassing download and powershell — detection tools
- Malware is extracted from fake image files and are implemented as ForticlientcomplianceChecker.exe
Hackers use a combination of social technique, cache smuggling, identity theft and straight up-bluffing to bypass regular security protection and implement malware on the victim’s computers, experts have said.
Security researchers exhibit as well as an independent researcher with the alias P4ND3M1CB0Y, observed sites that pretend to be a pop-up dialog from Fortinet VPN’s “Compliance Checker”.
There doesn’t seem to be such a thing, except for the possibility of configuring the Forticlient Compliance profile within Fortios. In any case, this dialogue instructs the victim to copy what appears to be a path to a file installed on the hard drive and paste it into File Explorer.
Used by Ransomware — actors
The path is actually padded with more than 100 spaces to hide its true purpose – to run a Powershell command. At the same time, the phishing site performed a JavaScript that directed the browser to retrieve a picture and cache it on the file system. This file is not an actual image but rather hidden malware.
“This technique, known as cache smuggling, allows malware to bypass many different types of security products,” the researchers explained.
“Neither the web page nor the PowerShell script downloads explicitly any files. By simply letting the browser cache the fake” image “, Malware is able to get a whole zip file on the local system without the Powershell command that needs to make any web requests.”
“As a result, all tools that scan downloaded files or look for Powershell scripts that perform web requests would not detect this behavior.”
The script then scans each cache file for content that is actually a .zip file stored in the false image and extracts it to the ForticlientcomplianceCker.exe -the actual malware. There was very little talk about whom attackers were, or the victims, but apparently some ransomware -actors have already begun to insert this tactic into their attack.
Via Bleeping computer
Follow Techradar on Google News and Add us as a preferred source To get our expert news, reviews and meaning in your feeds. Be sure to click the Follow button!
And of course you can too Follow Techradar at Tiktok For news, reviews, unboxings in video form and get regular updates from us at WhatsApp also.
