- Attackers use fake Fortinet dialogs and social engineering to trick users into executing malware
- Cache smuggling hides malware in browser cache, bypassing download and PowerShell detection tools
- Malware is extracted from fake image files and deployed as FortiClientComplianceChecker.exe
Hackers are using a combination of social engineering, cache smuggling, identity theft, and straight-up bluffing, to bypass common security protections and deploy malware onto victim’s computers, experts have said.
Security researchers Expel, as well as an independent researcher with the alias P4nd3m1cb0y, observed websites pretending to be a pop-up dialog from Fortinet VPN’s “Compliance Checker”.
There seems to be no such thing, other than the ability to configure the FortiClient Compliance Profile within FortiOS. In any case, that dialog instructs the victim to copy what appears to be a path to a file installed on the hard drive, and paste it in File Explorer.
Used by ransomware actors
The path is actually padded with more than 100 spaces, to hide its true purpose – to run a PowerShell command. At the same time, the phishing website executed a JavaScript that instructed the browser to fetch an image and cache it on the file system. This file is not an actual image, but rather hidden malware.
“This technique, known as cache smuggling, enables the malware to bypass many different types of security products,” the researchers explained.
“Neither the webpage nor the PowerShell script explicitly download any files. By simply letting the browser cache the fake “image,” the malware is able to get an entire zip file onto the local system without the PowerShell command needing to make any web requests.”
“As a result, any tools scanning downloaded files or looking for PowerShell scripts performing web requests wouldn’t detect this behavior.”
The script then scans each cache file for content that’s actually a .ZIP file stored in the fake image, and extracts it to FortiClientComplianceChecker.exe – the actual malware. There was very little talk about who the attackers were, or the victims, but apparently some ransomware actors have already started deploying this tactic in their attacks.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You might also like
- Discord hit by data breach after hackers strike support tickets
- Take a look at our guide to the best authenticator app
- We’ve rounded up the best password managers
