Huge hacking campaign uses spoofed Ghidra, dnSpy, and SpiderFoot security tools to harvest ad revenue and serve malware

1 hour ago 8

Hands on a laptop with overlaid logos representing network security

Over 100 spoofed sites mimic trusted security tools
Campaign serves SessionGate, RemusStealer, AnimateClipper
Primary goal appears to be traffic monetization

A large-scale malicious campaign was recently uncovered, spoofing reputable open-source security tools to harvest ad revenue and serve malware to developers and security researchers.

Security outfit Check Point Research (CPR) recently published an in-depth report, detailing the campaign. Apparently, threat actors created more than 100 websites spoofing tools such as Ghidra, dnSpy, and SpiderFoot. Visitors were routed through a Traffic Distribution System (TDS) and served multiple malware variants, including SessionGate, RemusStealer, and AnimateClipper.

“What makes this campaign especially notable is the choice of brands: a high-risk subset of sites impersonates trusted reverse-engineering tools such as Ghidra and dnSpy, used by security researchers and malware analysts,” the report reads.

Traffic acquisition and monetization

CPR describes SessionGate as a new multi-stage loader that makes it very difficult to obtain the final payload. RemusStealer is a newly emerged infostealer targeting browsers and extensions, while AnimateClipper is a cryptocurrency clipper capable of hijacking transactions across more than 20 blockchains.

Despite these websites serving multiple malware, CPR does not believe it to be the main goal. Instead, it believes the campaign’s primary objective is traffic acquisition and monetization.

“However, by embedding a gated TDS layer and funneling search traffic into it, the operators become part of a distribution chain whose downstream consumers can include malware distributors,” CPR stressed. “The same traffic pipeline that drives gray monetization can also selectively route real users to malicious payloads.”

While CPR did not say how many people were affected by this attack, it does stress that the campaign is rather large-scale. It involves more than 100 websites, as well as more than 5,000 total submissions to VirusTotal.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

To defend against this campaign, and others like it, users are advised not to blindly trust search engine results, and to be careful when clicking on links, even when they’re at the very top of Google and other reputable engines.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article