Why it matters: Cyber criminals are constantly analyzing the technology space for new ways to exploit users and obtain their personal data. In the past, phishing attacks have been leveraged to fob users into providing sensitive information past posing as a apparent source and requesting the user'southward information. But according to Cisco's Talos threat intelligence organization, a new malicious campaign has been gaining traction as an effective method to harvest information from unknowing users.

Known equally malvertising, Cisco's Talos Intelligence believes a specific campaign known as "Magnat" uses fraudulent online advert to play tricks users that are searching for legitimate software installers. The Cisco threat intelligence team believes the Magnat campaign may have started in late 2022 and targets users in Canada, the United States, Australia, and several other European nations.

Once a user is directed to the fraudulent download, they run a simulated installer that deploys three singled-out pieces of malware to their system. While the fake installer gets to work installing multiple malware components, it does non install the actual application the user was originally searching for.

The first piece of malware is a countersign stealer used to collect user credentials, often via a common tool known as Redline. Another piece of malware, known as MagnatBackdoor, sets upwards remote access to the user's device via Microsoft Remote Desktop. This access, combined with the user credentials stolen by Redline (or a like tool), can provide unfettered admission to the user's systems despite existence secured and firewalled. The final piece of the malware trifecta is a Chrome browser extension known as MagnatExtension, which is used for keylogging, obtaining screenshots of sensitive information, etc.

An Baronial 2022 tweet provided screenshots and download samples of a suspected malvertising campaign. Talos analyzed the samples referenced in the tweet and verified at least one sample contained the MagnatBackdoor, MagnatExtension, and Redline malware components.

Talos believes the Magnat tools have been developed and improved over the course of several years and show no signs of slowing down anytime before long. The installer package's name is constantly evolving and typically references the name of pop applications to lend brownie and trick users into deploying the package. Examples of past packet names include viber-25164.exe, wechat-35355.exe, build_9.716-6032.exe, setup_164335.exe, nox_setup_55606.exe and battlefieldsetup_76522.exe.