Zloader, a variant of the infamous Zeus banking malware, has been around since 2006. It is a typical banking malware that makes use of webinjects to steal credentials and other private information from users of targeted financial institutions.
And now apparently is masquerading itself as a fake java update on numerous porn sites,
Cybercriminals are tricking adult website visitors – including sites such xhamster[.]com – in malvertising attacks that redirect victims to malicious websites serving up malware.
Malsmoke, the name of this campaign, has been tracked throughout 2020 by Malwarebytes.
Zloader: New methods, old foe
According to the researchers: “What made it stand out was the fact it was going after top adult portals and had been continuing unabated for months. Starting mid-October, the threat actors behind malsmoke appear to have phased out the exploit kit delivery chains in favor of a social engineering scheme instead. The new campaign is tricking visitors to adult websites with a fake Java update”.
“This change is significant because it drastically increases the target audience, no longer limiting it to Internet Explorer users running outdated software”, they continued.
The trick now is showing what seems like a preview of an adult film hosted on a portal that is used as a lure to get people to play adult videos that do not actually exist. Instead, users will be asked to download a fake Java update that is malicious.
As the researchers pointed out: “the new scheme works across all browsers, including the one with the largest market share, Google Chrome”.
When clicking to play an adult video clip, a new browser window pops up with what looks a grainy video.
The movies plays for a few seconds with audible sound in the background until an overlay message is displayed telling users that the “Java Plug-in 8.0 was not found”.
The movie file is a 28 second MPEG-4 clip that has been rendered with a pixelated view on purpose. It is meant to let users believe they need to download a missing piece of software even though this will not help in any way at all.
Obliviously downloading the software initiates the infection chain…
This latest campaign is proof positive that in the absence of high value software vulnerabilities and exploits, social engineering is an excellent option as it is cost effective and reliable.
As far as web threats go, such schemes are here to stay for the foreseeable future.