According to the researchers, behind this campaign is the same hack group that was previously involved in the distribution of a fake installer for the popular VSDC video editor, as through official website of the program, and with the help of third-party directories. This time, the hackers managed to gain administrative access to the CMS of a number of sites that were used in the infection chain. A script is embedded in the page codes of compromised resources that redirects users to a phishing page masquerading as an official Google resource.
Users are selected based on geolocation and user browser detection. Target audience – visitors from the US, Canada, Australia, UK, Israel and Turkey using the Google Chrome browser. It is worth noting that the downloaded file has a valid digital signature, similar to the signature of the fake NordVPN installer distributed by the same criminal group.
The infection mechanism is implemented as follows. When the program is launched, a folder is created in the %userappdata% directory containing the files of the utility for remote administration of TeamViewer, and two password-protected SFX archives are unpacked. One of the archives contains a malicious msi.dll library that allows you to establish an unauthorized connection to an infected computer, and a batch file for launching the Chrome browser with the Google[.]com start page. A script is extracted from the second archive to bypass the built-in anti-virus protection of OC Windows. The malicious msi.dll library is loaded into memory by the TeamViewer process, hiding its work from the user along the way.
Using this backdoor, attackers are able to deliver payloads in the form of other malicious applications to infected devices. Among them have already been noticed: