While the method of distributing malware by making it look like a real software update is not new, threat actors are using a new twist to this method, trying to pass off the Buerak and Mokes malware on compromised sites by making it look like a certificate has expired. Several websites across different industries have been compromised and used to deliver malware with this method since the earliest detection on January 16th, 2020. A jquery.js script is used to overlay an iframe that is the same size as the original page, so instead of seeing the page they are used to, users will see a banner urging them to install a certificate update. The contents of the iframe are loaded from the attacker’s web server at the domain name ldfidfa[.]pw. If the install button is clicked, it will initiate the download of a file named Certificate_Update_v02.2020.exe, which was detected as Exploit.Win32.ShellCode.gen. Further analysis revealed the file as Downloader.Win32.Buerak, packed using Nullsoft Scriptable Install System. Mokes was also seen being distributed in a very similar campaign back in January, so the malware being used is not limited to one. Command and Control (C2) servers observed in the campaign include kkjjhhdff[.]site (47.245.30[.]255) and oderstrg[.]site.
Since this tactic is a bit different than malware distribution methods used in the past, it may be harder to detect. What users can do is have protection methods already in place in case they download this file. Keeping anti-virus up-to-date is the first line of defense for preventing malware from running, provided the malware is known and is detectable. It is important to have monitoring in place on the network and on endpoints to quickly find and stop intrusions before they spread–especially if anti-virus does not detect the malware at the time the file is downloaded. It may also be a good idea to reach out to the company for any website that is delivering this malware to warn them of the compromise. For more information and the indicators of compromise, please refer to: https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/