- Attackers use fake Fortinet dialogs and social engineering to trick users into running malware.
- Cache smuggling hides malware in the browser cache, bypassing PowerShell download and detection tools.
- Malware is extracted from fake image files and deployed as FortiClientComplianceChecker.exe
Hackers use a combination of social engineering, cache smuggling, identity theft and outright bluffing to bypass common security protections and deploy malware on victims’ computers, experts say.
Security researchers Expel, along with an independent researcher going by the pseudonym P4nd3m1cb0y, observed websites pretending to be a pop-up dialog box from Fortinet VPN’s “Compliance Checker.”
There doesn’t seem to be anything like this, other than the ability to configure the FortiClient compliance profile in FortiOS. In all cases, this dialog box asks the victim to copy what appears to be a path to a file installed on the hard drive and paste it into File Explorer.
Used by ransomware actors
The path is actually filled with over 100 spaces, to hide its true purpose: running a PowerShell command. At the same time, the phishing website executed JavaScript code that instructed the browser to retrieve an image and cache it on the file system. This file is not an actual image, but rather hidden malware.
“This technique, known as cache smuggling, allows malware to bypass many types of security products,” the researchers explained.
“Neither the web page nor the PowerShell script explicitly downloads files. By simply letting the browser cache the fake “image”, the malware is able to obtain a full zip file on the local system without the PowerShell command needing to make web requests.
“Therefore, no tool that analyzes downloaded files or searches for PowerShell scripts executing web requests would detect this behavior.”
The script then scans each cache file for content that is actually a .ZIP file stored in the fake image, and extracts it into FortiClientComplianceChecker.exe, the real malware. There has been very little said about the identity of the attackers or victims, but apparently some ransomware perpetrators have already started deploying this tactic in their attacks.
Via BeepComputer
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
