Threat Actors Hijacking Websites To Deliver .NET-Based Malware

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Clearlake is a cyber threat operation that distributes fake antivirus software to make users perceive their system as infected.

Sometimes, malicious software can be designed to ask for payment to remove it, or it installs more malware that steals sensitive data or causes further damage to the victim’s system.

Cybersecurity analysts at Avast Threat Labs recently identified threat actors actively hijacking websites to deliver .NET-based malware.

Hijacking Websites To Deliver .NET-Based Malware

Often, then .NET malware is used by threat actors as this helps them create complex and obscure code that is difficult to detect.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

The extensive set of libraries within the .NET framework allows for quick development combined with easy integration of malicious functions while its compatibility with Windows OS makes it popular among cybercriminals targeting a diverse range of audiences.

The ClearFake initiative is a highly sophisticated online security threat that emerged recently through a malware distribution avenue.

This operation involves penetrating legitimate websites, which are then used as platforms for malware without the owners’ knowledge.

The malware is targeted specifically at .NET framework, indicating a focus on Windows and probably exploiting bugs within this common development platform.

What distinguishes ClearFake from other campaigns of its kind is its intelligent utilization of free code hosting services such as GitHub and Bitbucket.

Infection process (Source – X)

Attackers use these platforms to host, distribute, and maybe even update the payloads of their malware.

It makes it almost indistinguishable from normal developer activity, making it difficult for security systems to detect and block the malware.

Moreover, the URL shortening services like “http://redr[.]me” are employed by the campaign, which adds an extra layer of confusion.

These shortened links make detection efforts harder, as they may increase click-through rates and obfuscate the malicious URLs’ real destination.

Clearlake is a serious challenge for cybersecurity experts and ordinary internet users as it exploits these legal web services.

Besides this, the smart move used during the campaign is an indication of how new cyber threats are becoming even more complex, consequently necessitating increased vigilance against links from any source, better web filters, and awareness of the misuse of legitimate online resources for illegal purposes.

Fake update prompt (Source – X)

Cybersecurity researchers strongly urged users to remain vigilant and warned of the pages asking them to update their web browsers.

IoCs

  • infected webpage: stoicinvesting[.]com
  • payload URL: dais7nsa[.]pics/endpoint
  • binance contract: 0xa6165aa33ac710ad5dcd4f4d6379466825476fde
  • GitHub repo: github[.]com/BrowserCompanyLLC/-12
  • Bitbucket repos: bitbucket[.]org/shakespeare1/workspace/projects/

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download