Typosquat campaign simulates 27 brands to push Windows and Android malware

There is a massive malicious campaign underway using more than 200 typographical domains impersonating twenty-seven brands to trick visitors into downloading various malware for Windows and Android.

Typosquatting is an old way of tricking people into visiting a fake website by registering a domain name similar to the one used by the original brands.

The domains used in this campaign are very close to the original domains, featuring position swaps with one letter or extra “s”, making it easy for people to miss them.

In terms of appearance, in most cases BleepingComputer sees, malicious sites are copies of the originals or at least disguised enough, so there’s not much to give up on fraud.

Victims usually end up on these sites by mistakenly typing the name of the website they want to visit in the browser’s URL bar, which is common when typing on mobile.

However, users can also be directed to these sites via phishing emails or SMS, direct messages, malicious social media, forum posts, and other methods.

A wide network of fake websites

Some of the malicious sites were discovered by cyber intelligence firm Cyble, which published a report this week focusing on domains that mimic popular Android app stores like Google Play, APKCombo and APKPure, as well as download portals for PayPal, VidMate, Snapchat and TikTok.

Malicious site impersonating PayPal
Malicious site impersonating PayPal

Some of the domains used for this purpose are:

  • payce- google[.]com – impersonate a Google Wallet
  • snanpckat-apk[.]com – impersonate Snapchat
  • vidmates-app[.]com – impersonate VidMate
  • Paltpal-apk[.]com – impersonate PayPal
  • m-apkpures[.]com – impersonate APKPure
  • tlktok-apk[.]Link – impersonate download portal for TikTok app

In all of these cases, the malware that is delivered to users trying to download APK files is throw youa banking trojan targeting bank accounts and cryptocurrency wallets from 467 applications.

Part of a much larger campaign

While Sybil Report BleepingComputer focused on the campaign Android malware, and found a much larger campaign of typo from the same operators, distributing Windows malware.

This campaign consists of more than 90 websites created to spoof more than 27 popular Windows malware distribution brands, steal cryptocurrency recovery keys and, as described above, push Android malware.

category Plagiarized brands
Mobile applications and services tik tok
snap chat
APK pure
google wallet
Programming Microsoft Visual Studio
Brave Browser
notepad +
Tor Browser
Cryptocurrency tronlink
Cosmos wallet
Trade cryptocurrency and stocks Trading View
IQ Option
Websites figma
Quatro . casinos
great moment
CS: Money

A notable example of one such typographic site is the very popular Notepad++ text editor. This fake website uses the domain “notepads-plus-plus[.]org”, which is only a character away from the original in “notepad-plus-plus.org”.

Fake Notepad++ Introduces Vidar Stealer
Fake Notepad++ Introduces Vidar Stealer

Files from this site install the information-stealing malware Vidar Stealer, which has been inflated to 700MB to evade analysis.

Another site discovered by BleepingComputer impersonating the Tor Project using the domain “tocproject.com”. In this case, the website drops the Tesla keylogger proxy and RAT.

Fake Tor site drops Tesla operator
Fake Tor site drops Tesla operator

Digging deeper into the long list of domains, we found several programs targeting popular software such as:

  • Thunderbird[.]org – Impersonates the popular open source email group Thunderbird, drops Vidar Stealer
  • codevisualstudio[.]org – impersonate Microsoft Visual Studio Code to drop Vidar
  • Brave browsers[.]org – Impersonate Brave web browser to drop Vidar
More Fake Sites Get Rid of Windows Malware
More Fake Sites Get Rid of Windows Malware

The diversity in the families of malware delivered to victims may indicate that campaign operators are experimenting with different strains to see what works best.

Another part of these sites targets cryptocurrency wallets and seed gates, which is a very profitable activity for threat actors.

For example, BleepingComputer found “ethersmine[.]com”, which is trying to steal the initial gateway to the visitor’s Ethereum wallet.

Site impersonating Ethermine mining pool
Site impersonating Ethermine mining pool

Other sites in the campaign target cryptocurrency holders and digital asset investors impersonating popular crypto wallets, trading apps, and NFT sites.

Of course, threat actors use multiple variants of each domain to cover as many bugs as possible, so these domains are only a small sample of the entire network of domains used in the campaign.

Some browsers such as Google Chrome and Microsoft Edge include write protection. However, in our tests, browsers did not block any of the domains we tested.

To protect yourself from typographical ranges, the best way to find a legitimate site is to search for a specific brand in a search engine.

However, you should avoid clicking on ads displayed in search results, as has already happened many cases where Malicious ads are generated To impersonate a real website.

#Typosquat #campaign #simulates #brands #push #Windows #Android #malware

Leave a Comment

Your email address will not be published. Required fields are marked *