Carding 4 Carders
Professional
- Messages
- 2,728
- Reaction score
- 1,574
- Points
- 113
Phishing and financial fraud are intertwined in a crushing hacker symbiosis.
The fast-growing popularity of Brazil's PIX instant payment system has attracted the attention of cybercriminals, who have begun using the new GoPIX malware to illegally extract profits.
Kaspersky Lab, which has been tracking the malware campaign in question since December 2022, reported that the attacks occur through malicious ads shown to users who search for "WhatsApp Web" in search engines. When you click on such an ad, the user is redirected to a page with malware.
As has been repeatedly observed in other advertising campaigns, users who click on a phishing ad are redirected through a masking service designed to filter out sandboxes, bots, and other individuals who fit the criteria of real victims.
Interestingly, malware can be downloaded from two different URLs at once, depending on whether port 27275 is open on the user's computer.
"This port is used by Avast Safe Banking software. When this software is detected, a ZIP file containing an LNK file is downloaded, which has a confusing PowerShell script embedded in it, which loads the next stage of infection."
If the port is closed, the NSIS installation package is loaded. This indicates that additional protection is explicitly configured to bypass the security software and deliver malware.
The main purpose of the installer is to extract and activate the GoPIX malware using a method called "Process Hollowing". Hackers start the system process "svchost.exe" in the suspended state and enter malicious code into it.
GoPIX functions as malware that steals data from the clipboard. It intercepts requests for PIX payments and replaces them with data controlled by attackers.
"The malware also supports spoofing of Bitcoin and Ethereum wallet addresses," the researchers said. "However, they are hard-coded in malware and are not extracted from the management server."
It is worth noting that the campaign reviewed by Kaspersky Lab is far from the only one aimed at users who search in search engines for web versions of WhatsApp or Telegram messengers.
So, in a recent campaign discovered by Malwarebytes specialists in Hong Kong, attackers tried to force users to scan QR codes to log in to the web version of WhatsApp on specially created phishing pages, as a result of which hackers gained full access to the chat history and saved contacts of victims.
Such stories serve as a reminder that cybercriminals are quick to adapt and take advantage of new opportunities to deceive people. No matter how useful a particular technology is, it can easily be used to its detriment, taking advantage of human inattention.
Always be aware of the dangers on the web and be extra vigilant to avoid getting caught by cybercriminals.
The fast-growing popularity of Brazil's PIX instant payment system has attracted the attention of cybercriminals, who have begun using the new GoPIX malware to illegally extract profits.
Kaspersky Lab, which has been tracking the malware campaign in question since December 2022, reported that the attacks occur through malicious ads shown to users who search for "WhatsApp Web" in search engines. When you click on such an ad, the user is redirected to a page with malware.
As has been repeatedly observed in other advertising campaigns, users who click on a phishing ad are redirected through a masking service designed to filter out sandboxes, bots, and other individuals who fit the criteria of real victims.
Interestingly, malware can be downloaded from two different URLs at once, depending on whether port 27275 is open on the user's computer.
"This port is used by Avast Safe Banking software. When this software is detected, a ZIP file containing an LNK file is downloaded, which has a confusing PowerShell script embedded in it, which loads the next stage of infection."
If the port is closed, the NSIS installation package is loaded. This indicates that additional protection is explicitly configured to bypass the security software and deliver malware.
The main purpose of the installer is to extract and activate the GoPIX malware using a method called "Process Hollowing". Hackers start the system process "svchost.exe" in the suspended state and enter malicious code into it.
GoPIX functions as malware that steals data from the clipboard. It intercepts requests for PIX payments and replaces them with data controlled by attackers.
"The malware also supports spoofing of Bitcoin and Ethereum wallet addresses," the researchers said. "However, they are hard-coded in malware and are not extracted from the management server."
It is worth noting that the campaign reviewed by Kaspersky Lab is far from the only one aimed at users who search in search engines for web versions of WhatsApp or Telegram messengers.
So, in a recent campaign discovered by Malwarebytes specialists in Hong Kong, attackers tried to force users to scan QR codes to log in to the web version of WhatsApp on specially created phishing pages, as a result of which hackers gained full access to the chat history and saved contacts of victims.
Such stories serve as a reminder that cybercriminals are quick to adapt and take advantage of new opportunities to deceive people. No matter how useful a particular technology is, it can easily be used to its detriment, taking advantage of human inattention.
Always be aware of the dangers on the web and be extra vigilant to avoid getting caught by cybercriminals.
