Windows devices are being hijacked in attacks with the novel LOBSHOT remote access trojan, which is being deployed through Google Ads, reports BleepingComputer.
Threat actors have been using ads for the AnyDesk remote management software, which redirect to the phony amydeecke[.]com site that deploys a malicious MSI file that would eventually lead to the download of the LOBSHOT malware, a report from Elastic Security Labs. Aside from having the capability to check for cryptocurrency wallet extensions across major web browsers, LOBSHOT also features an hVNC module that enables attackers to remotely control Windows desktops without the knowledge of the victim.
"At this stage, the victim machine will start sending screen captures that represent the hidden desktop that is sent to a listening client controlled by the attacker. The attacker interacts with the client by controlling the keyboard, clicking buttons, and moving the mouse, these capabilities provide the attacker full remote control of the device," said the report.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news