Users looking to download a popular PC utility may be tricked in this campaign where a threat actor has registered a website that copies content from a PC and Windows news portal.

The majority of malvertising campaigns delivering malicious utilities that we have tracked so far typically deceive victims with pages that are almost the exact replica of the software vendor being impersonated. For example, we have seen fake websites appearing like the real Webex, AnyDesk or KeePass home page.

In a new campaign, we observed a threat actor copying a legitimate Windows news portal (WindowsReport.com) to distribute a malicious installer for the popular processor tool CPU-Z.

This type of website is often visited by geeks and system administrators to read the latest computer reviews, learn some tips and download software utilities. The Windows Report was never compromised and is legitimate, but rather threat actors copied its content to trick users.

This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection. We have informed Google with the relevant details for takedown.

**Google ad and filtering**

The malicious ad is for CPU-Z, a popular utility for Windows users that want to troubleshoot their processor and other computer hardware details. The advertiser shows as Scott Cooper and is likely a compromised or fake identity.

One common technique used by threat actors to evade detection is to employ cloaking. Anyone clicking on the ad and who’s not the intended victim will see a standard blog with a number of articles.

We had previously identified another malicious ad using almost the same template.

**Redirect to Windows news site lookalike**

To show what happens when an actual victim clicks on the ad, here is the network traffic related to it as seen in the image below. This time, the corporatecomf\[.\]online website is no longer used to show a blog with articles but instead does a redirect (302 HTTP code) to another domain at workspace-app\[.\]online.

This domain uses content from the legitimate Windows portal WindowsReport.com and looks almost identical:

People who searched for CPU-Z and clicked the ad are now at the download page for the software, where they may wrongly assume that it is legitimate. The URL in the address bar does not match the real one, though.

There are several other domains hosted on the same IP address (74.119.192.188) also used in malvertising campaigns:

**Signed MSIX installer**

The payload is a digitally signed MSIX installer which contains a malicious PowerShell script, a loader known as FakeBat:

The script shows the malware command and control server as well as the remote payload (Redline stealer):

We are blocking the malvertising domains for all Malwarebytes customers:

ThreatDown, powered by Malwarebytes, already detected the final infostealer payload and we have added coverage for the its command and control servers as well.

It is possible the threat actor chose to create a decoy site looking like Windows Report because many software utilities are often downloaded from such portals instead of their official web page.

The download is also a signed MSI installer, which increases the chances for it to look legitimate from the operating system and antivirus software. These MSI loaders are quite common and allow threat actors to update the final payload by simply swapping a PowerShell script.

Software downloads have been a big target for the past year with criminals using a variety of tricks to deceive users and install malware. In an enterprise environment, it may be wise to verify a file’s checksum to ensure it has not been tampered with by comparing its SHA256 hash sum with what is posted on the vendor’s website.

**Indicators of Compromise**

Ad domains

argenferia\[.\]com  
realvnc\[.\]pro  
corporatecomf\[.\]online  
cilrix-corp\[.\]pro  
thecoopmodel\[.\]com  
winscp-apps\[.\]online  
wireshark-app\[.\]online  
cilrix-corporate\[.\]online  
workspace-app\[.\]online

Payload URLs

thecoopmodel\[.\]com/CPU-Z-x86.msix
kaotickontracting\[.\]info/account/hdr.jpg
ivcgroup\[.\]in/temp/Citrix-x64.msix
robo-claim\[.\]site/order/team.tar.gpg
argenferia\[.\]com/RealVNC-x64.msix

Payloads

55d3ed51c3d8f56ab305a40936b446f761021abfc55e5cc8234c98a2c93e99e1
9acbf1a5cd040c6dcecbe4e8e65044b380b7432f46c5fbf2ecdc97549487ca88
419e06194c01ca930ed5d7484222e6827fd24520e72bfe6892cfde95573ffa16
cf9589665615375d1ad22d3b84e97bb686616157f2092e2047adb1a7b378cc95

C2s

11234jkhfkujhs\[.\]site
11234jkhfkujhs\[.\]top
94.131.111\[.\]240
81.177.136\[.\]179

 Malvertiser copies PC news site to deliver infostealer 

Use after free in WebAudio in Google Chrome prior to 119.0.6045.123 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-5996: Stable Channel Update for Desktop

The third GOP debate is sponsored by the Republican Jewish Coalition and will be livestreamed on a platform favored by one of America’s most notorious white nationalists.

Tonight, the third GOP presidential primary debate will take place in Miami. The event is sponsored by the Republican Jewish Coalition (RJC) at a time when antisemitic incidents in the US, according to the Anti-Defamation League, have risen by nearly 400 percent since the Israel-Hamas war erupted last month.

While the Republican National Committee (RNC) has partnered with NBC to broadcast the debate on TV, the event will also be livestreamed for the third time on Rumble, the YouTube alternative that is home to what the Southern Poverty Law Center says is one of America’s most notorious white nationalists, Nick Fuentes.

For the past month, Fuentes has used the Israel-Hamas conflict to push antisemitic hate speech and Holocaust denial conspiracies on his Rumble channel, racking up hundreds of thousands of views. Fuentes has hailed Rumble for reviving his audience, which has gained thousands of followers since Hamas attacked Israel on October 7.

“I think the show is bigger than it's been in a really long time,” Fuentes told his more than 40,000 viewers last week during one of his frequent livestreams on the platform. “If you look at the viewership on Rumble, it’s crazy. I’ve been getting really good viewership on Rumble like I haven’t since I was on YouTube … The replays have been insane.”

Fuentes is a white nationalist leader of the Groyper movement. He attended the neo-Nazi Unite the Right rally in Charlottesville in 2017, has openly praised Hitler, and repeatedly denied the Holocaust. He has also had dinner with former president Donald Trump.

Fuentes’ YouTube account was terminated in 2020 as Google demonetized it, and he initially struggled to retain his audience on a number of other platforms, including DLive and his own Cozy.tv streaming service. Fuentes joined Rumble in March 2021, and he was initially critical of the platform’s failure to promote his videos. He claims he was briefly suspended from the platform in July after posting the livestream of a rally where he called for a “holy war” against non-Christians. Now, less than four months later, he claims his channel is flourishing.

Since the outbreak of the Israel-Hamas war in early October, Fuentes has used his channel on Rumble, which has 42,600 followers, to spread antisemitic conspiracies, claiming in one video that the Israeli government had created the Hamas attack as “atrocity propaganda” to advance “Jewish interests.”

Fuentes compared the Hamas attack to the Holocaust, claiming both were created to “elicit a certain emotional response \[to give the government\] the popular mandate to do whatever it is the government wants to do.”

While it portrays itself as a free speech network, Rumble does have specific policies in place against racism and antisemitism. The platform removed two of Fuentes’ videos on Tuesday evening after WIRED flagged the antisemitic comments made in them, but many others remain. Rumble declined WIRED’s request to comment on whether or not it had an antisemitism problem on its platform.

Fuentes’ is one of many accounts that researchers at Media Matters, a left-leaning media watchdog group, have identified as not only spreading antisemitic content on Rumble, but also monetizing it.

“There is a plethora of antisemitic content on the platform as well as other violent content, conspiracy theories, and bigotry,” Kayla Gogarty, research director at Media Matters, tells WIRED. “We found about 16 far-right figures and groups who have made antisemitic content and have run advertisements on the platform, including Keith Woods, Elijah Schaffer, Stew Peters, and other accounts like Vincent James Foxx.”

Fuentes’ account has not monetized his own channel, but clips of his content have been monetized on Rumble, Gogarty says.

Fuentes did not respond to WIRED’s request for comment, nor did Woods, Schaefer, Peters, and Fox.

The RNC told WIRED in an emailed statement that “hate, bigotry and violence is unfortunately prevalent on every social media platform, and the RNC condemns it entirely, but the RNC does not manage content or pages outside of our own.”

The RJC did not respond to multiple requests from WIRED about the presence of Fuentes and antisemitism on Rumble. At the announcement of the RJC’s sponsorship of the debate last month, the group’s chairman, former US senator Norm Coleman from Minnesota, told NBC: “As the horrific events of the last week have unfolded in Israel, the issue of American foreign policy has taken on an even greater role. American strength and American resolve—and our candidates’ vision for America’s role in the world—are more important than ever.”

Founded in 2013, Rumble has in recent years become a home for many right-wing extremists, conspiracy peddlers, and election deniers who have been banned from mainstream platforms like YouTube, Facebook, and Instagram, or who have had their ability to monetize their content removed.

Rumble, which went public in 2022 and has seen significant growth in users over the past 18 months, has also partnered with Trump’s struggling social media platform Truth Social to provide video services. Donald Trump Jr., the former president’s son, and his wife, Kimberly Guilfoyle, both have exclusive deals with the platform where they post video podcast series.

The GOP Presidential Debate Is Livestreaming on Rumble, Home to White Nationalist Nick Fuentes

By Waqas
BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.
This is a post from HackRead.com Read the original post: Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware

The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks.

Jamf Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. According to the company’s blog post published on 7 November 2023, this campaign, like BlueNoroff’s previous campaigns, seems to be financially motivated.

The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks. BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.

The malware, dubbed ObjCShellz, is part of the RustBucket campaign, researchers believe. It is a later-stage malware variant of BlueNoroff’s RustBucket malware, because of their similar characteristics.

For your information, a later-stage malware is one that’s executed after the attacker has gained initial access and used for data exfiltration, lateral movement within the network, or maintaining persistence.

The malware was discovered while performing routine threat hunting. Further probing revealed that it was a Mach-O universal binary communicating with a domain (swissborgblog registered on May 31, 2023) that the company had previously classified as malicious because it was a fake version of the original domain (swissborg.com). The attackers created a **fake crypto exchange website** on this fake domain to trick users.

The malware is ad-hoc signed and can split its C2 URL into two different strings to evade detection. The IP address researchers detected (104.168.214151) was also linked to the same APT actor from their previous campaigns.

 “We have observed submissions to VirusTotal from countries such as Japan and the US in September and October” researchers noted in their **blog post**.

ObjCShellz is written in Objective-C, a programming language used for macOS applications. It is used as a macOS implant that establishes C2 communication after infiltrating the device and downloads/executes multiple payloads.

ObjCShellz is a lightweight malware featuring advanced obfuscation features. It operates as a simple remote shell and executes shell commands received from the C2 server. The malware sends a POST message to the fake URL version and gains information about the malware process before retrieving the operatingSystemVersionString to find out the macOS version.

Researchers could not determine how initial access was achieved. However, they are sure that this is a later-stage malware used in this multi-stage attack to run remote shell commands manually on Intel and Arm Macs.

The threat actor generally reaches out to victims as an investor or creates domains belonging to a legitimate crypto exchange. In this campaign too, the attacker contacts the victims as a head hunter or investor, offering them something beneficial or a partnership. Despite being simple, this malware is very functional and can allow threat actors to carry out a range of malicious objectives.

Hackread.com has observed a continuous surge in attacks against macOS devices and BlueNoroff’s **activities**. Earlier in November, Elastic Security Labs **detected** Lazarus group using a new macOS malware dubbed KandyKorn, targeting cryptocurrency users and blockchain engineers.

Back in 2021, AT&T Alien Labs researchers **discovered that** threat actors were harnessing malware-infected Macs and Windows devices as proxy exit nodes to reroute proxy requests. In December 2022, Kaspersky researchers **reported** that BlueNoroff is targeting cryptocurrency-related financial entities worldwide with new, sophisticated malware strains and 70 fake domains of venture capital firms and banks.

To protect against ObjCShellz malware, organizations must keep software and operating systems patched against new security flaws, use EDR (endpoint detection and response) solutions to monitor network activities, and employ network segmentation strategies to limit malware distribution by isolating critical systems.

Cybersecurity expert at the California-based **Menlo Security** browser security provider firm, Mr. Ngoc Bui, shared his findings on the BlueNoroff APT actor exclusively with Hackread.com. Bui noted that it has been active since 2016-2017 and its key targets are financial entities in Europe and North America. 

“BlueNoroff is a North Korean-backed advanced persistent threat (APT) group that has been active since at least 2016/2017. The group is known for targeting cryptocurrency exchanges, venture capital firms, and banks in North America and Europe,” explained Bui BlueNoroff’s attacks are typically financially motivated, and the group has been known to use a variety of malware and techniques to steal sensitive data and funds from its victims.”

About their malware RustBucket, Bui noted that this backdoor is written in rust and collects basic system details before contacting the C2. 

“RustBucket is a backdoor written in rust. The backdoor collects basic system information and communicates to the URL provided via the command line. Supported backdoor commands include file execution and exit. RustBucket is a malware campaign also attributed to BlueNoroff, first uncovered in 2021. It uses phishing emails posing as job recruiters to infect targets with backdoor malware that can steal data and remotely control infected systems,” Bui said.

Bui believes that Jamf Threat Labs’ discover holds significance because it highlights that the actor is continually improving its malware strains. 

“The discovery of the new malware strain by Jamf Threat Labs is significant because it shows that BlueNoroff is continuing to develop new and sophisticated malware. The fact that the malware was undetected by VirusTotal at the time of uploading suggests that BlueNoroff is taking steps to evade detection. For North Korea, this is a big deal if you have been following the different APTs and activities from that country.”

Bui noted that ObjCShellz is a big threat for macOS users “because it is disguised as legitimate software and can be difficult to detect. The malware can also steal sensitive data, such as cryptocurrency wallets and passwords. And a low detection rate means it may get past AV.”

Colorado-based cybersecurity advisory services provider **Coalfire**’s vice president Andrew Baratt told Hackread.com that it is hard to draw definite linkages between malware.

“It’s hard to really draw official linkages between malware that shares commonalities as many disparate threat actors borrow and steal from other malware campaigns. Copying legit sites is a fairly common tactic to evade detection on the C2 side of a malicious capability.” 

“We’ve been pointing out for some time that VirusTotal (VT) is only as good as its first observation time, and if malware authors are building up offline testing capabilities, the time it takes for detection is going to be much more significant. We also potentially have the signs of AI usage creeping into malware development,” said Baratt.

Historically, it can be seen in VT as it has been used as a test run for a piece of malware – as a cross over for detection -then multiple iterations are used until evasion is achieved. The challenge for the malware is that this creates a timeframe and VT, now owned by Google, has a window of advantage to do further analysis. If they’re using generative AI to help modify the malware, there is a real potential for new evasion techniques to be used with a reasonably high degree being under the purview of VT,” Baratt explained.

****_RELATED ARTICLES_****

1.  **MacStealer: A New Malware Targeting macOS Catalina Devices**
2.  **New macOS malware XcodeSpy found sneaking into spy on victims**
3.  **Linux, Windows and macOS Hit By New “Alchimist” Attack Framework**
4.  **Researchers Leverage ChatGPT to Expose Notorious macOS Malware**
5.  **UpdateAgent malware variant impersonates legitimate macOS software**

Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware

By Waqas
Jamf Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. According…
This is a post from HackRead.com Read the original post: BlueNoroff APT Targets macOS with new RustBucket Malware Variant

Jamf Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. According to the company’s blog post published on 7 November 2023, this campaign, like BlueNoroff’s previous campaigns, seems to be financially motivated. The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks. BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.

The malware, dubbed ObjCShellz, is part of the RustBucket campaign, researchers believe. It is a later-stage malware variant of BlueNoroff’s RustBucket malware, because of their similar characteristics. For your information, a later-stage malware is one that’s executed after the attacker has gained initial access and used for data exfiltration, lateral movement within the network, or maintaining persistence.

The malware was discovered while performing routine threat hunting. Further probing revealed that it was a Mach-O universal binary communicating with a domain (swissborgblog registered on May 31, 2023) that the company had previously classified as malicious because it was a fake version of the original domain (swissborg.com). The attackers created a fake crypto exchange website on this fake domain to trick users.

The malware is ad-hoc signed and can split its C2 URL into two different strings to evade detection. The IP address researchers detected (104.168.214151) was also linked to the same APT actor from their previous campaigns.

 “We have observed submissions to VirusTotal from countries such as Japan and the US in September and October” researchers noted.

ObjCShellz is written in Objective-C, a programming language used for macOS applications. It is used as a macOS implant that establishes C2 communication after infiltrating the device and downloads/executes multiple payloads. It is a lightweight malware featuring advanced obfuscation features. It operates as a simple remote shell and executes shell commands received from the C2 server. The malware sends a POST message to the fake URL version and gains information about the malware process before retrieving the operatingSystemVersionString to find out the macOS version.

Researchers could not determine how initial access was achieved. However, they are sure that this is a later-stage malware used in this multi-stage attack to run remote shell commands manually on Intel and Arm Macs.

The threat actor generally reaches out to victims as an investor or creates domains belonging to a legitimate crypto exchange. In this campaign too, the attacker contacts the victims as a head hunter.investor, offering them something beneficial or a partnership. Despite being simple, this malware is very functional and can allow threat actors to carry out a range of malicious objectives.

Hackread.com has observed a continuous surge in attacks against macOS devices and BlueNoroff’s activities. Earlier in November, Elastic Security Labs detected Lazarus group using a new macOS malware dubbed KandyKorn, targeting cryptocurrency users and blockchain engineers. Back in 2021, AT&T Alien Labs researchers discovered that threat actors were harnessing malware-infected Macs and Windows devices as proxy exit nodes to reroute proxy requests. In December 2022, Kaspersky researchers reported that BlueNoroff is targeting cryptocurrency-related financial entities worldwide with new, sophisticated malware strains and 70 fake domains of venture capital firms and banks.

To protect against ObjCShellz malware, organizations must keep software and operating systems patched against new security flaws, use EDR (endpoint detection and response) solutions to monitor network activities, and employ network segmentation strategies to limit malware distribution by isolating critical systems.

Cybersecurity expert at the California-based Menlo Security browser security provider firm, Mr. Ngoc Bui, shared his findings on the BlueNoroff APT actor exclusively with Hackread.com. Bui noted that it has been active since 2016-2017 and its key targets are financial entities in Europe and North America. 

“BlueNoroff is a North Korean-backed advanced persistent threat (APT) group that has been active since at least 2016/2017. The group is known for targeting cryptocurrency exchanges, venture capital firms, and banks in North America and Europe. BlueNoroff’s attacks are typically financially motivated, and the group has been known to use a variety of malware and techniques to steal sensitive data and funds from its victims.”

About their malware RustBucket, Bui noted that this backdoor is written in rust and collects basic system details before contacting the C2. 

“RustBucket is a backdoor written in rust. The backdoor collects basic system information and communicates to the URL provided via the command line. Supported backdoor commands include file execution and exit. RustBucket is a malware campaign also attributed to BlueNoroff, first uncovered in 2021. It uses phishing emails posing as job recruiters to infect targets with backdoor malware that can steal data and remotely control infected systems,” Bui explained.

Bui believes that Jamf Threat Labs’ discover holds significance because it highlights that the actor is continually improving its malware strains. 

“The discovery of the new malware strain by Jamf Threat Labs is significant because it shows that BlueNoroff is continuing to develop new and sophisticated malware. The fact that the malware was undetected by VirusTotal at the time of uploading suggests that BlueNoroff is taking steps to evade detection. For North Korea, this is a big deal if you have been following the different APTs and activities from that country.”

 Bui noted that ObjCShellz is a big threat for macOS users “because it is disguised as legitimate software and can be difficult to detect. The malware can also steal sensitive data, such as cryptocurrency wallets and passwords. And a low detection rate means it may get past AV.”

Colorado-based cybersecurity advisory services provider Coalfire’s vice president Andrew Baratt told Hackread.com that it is hard to draw definite linkages between malware.

“It’s hard to really draw official linkages between malware that shares commonalities as many disparate threat actors borrow and steal from other malware campaigns. Copying legit sites is a fairly common tactic to evade detection on the C2 side of a malicious capability.” 

“We’ve been pointing out for some time that VirusTotal (VT) is only as good as its first observation time, and if malware authors are building up offline testing capabilities, the time it takes for detection is going to be much more significant. We also potentially have the signs of AI usage creeping into malware development. Historically, it can be seen in VT as it has been used as a test run for a piece of malware – as a cross over for detection -then multiple iterations are used until evasion is achieved. The challenge for the malware is that this creates a timeframe and VT, now owned by Google, has a window of advantage to do further analysis. If they’re using generative AI to help modify the malware, there is a real potential for new evasion techniques to be used with a reasonably high degree being under the purview of VT,” Baratt stated.

BlueNoroff APT Targets macOS with new RustBucket Malware Variant

Improper Restriction of Excessive Authentication Attempts vulnerability in Samsung Smart TV UE40D7000 version T-GAPDEUC-1033.2 and before allows attackers to cause a denial of service via WPS attack tools.

CVE-2023-41270: SMOLD TV: Old & Smart

The UpdraftPlus: WordPress Backup & Migration Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23.10. This is due to a lack of nonce validation and insufficient validation of the instance_id on the 'updraftmethod-googledrive-auth' action used to update Google Drive remote storage location. This makes it possible for unauthenticated attackers to modify the Google Drive location that backups are sent to via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can make it possible for attackers to receive backups for a site which may contain sensitive information.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-5982: UpdraftPlus <= 1.23.10 - Cross-Site Request Forgery to Google Drive Storage Update — Wordfence Intelligence

A complaint filed with the EU’s independent data regulator accuses YouTube of failing to get explicit user permission for its ad blocker detection system, potentially violating the ePrivacy Directive.

Privacy campaigner Alexander Hanff claims that YouTube’s new ad blocker detection is illegal under European law, and he's taking the fight to the European Commission.

On November 6, German Pirate Party MEP Patrick Breyer addressed Hanff’s claim to the European Commission, formally requesting a legal position as to whether “protection of information stored on the device (Article 5(3) ePR) also cover information as to whether the user's device hides or blocks certain page elements, or whether ad-blocking software is used on the device” and—critically—if this kind of detection is “absolutely necessary to provide a service such as YouTube.”

YouTube began rolling out ad block detection to Europe earlier this year and is now preventing some European users from viewing its content if they have an ad blocker enabled. The EU’s ePrivacy Directive requires online service providers to get explicit permission to “gain access to information stored in the terminal equipment of a subscriber or user.” Hanff, an expert advisor to the European Data Protection Board, alleges that YouTube’s use of JavaScript-based detection scripts to look for specific HTML page elements rendered by a user’s browser is subject to that requirement and he believes it is failing to abide by it.

In a complaint lodged with Ireland's Data Protection Commissioner (DPC), Hanff called on the DPC to “take action against YouTube … for this breach of the law and demand YouTube cease their unlawful deployment of adblocker detection tools.”

Hanff, who helped to draft the forthcoming update to the EU’s ePrivacy regulations, says he believes YouTube’s JavaScript violates EU citizens' privacy.

“The script that \[YouTube\] deploys is detecting what software people are running on their machines or what behaviour their browser is exhibiting in relation to their private activities. It's not okay. It's illegal,” Hanff claims, echoing his complaint. We have a fundamental right to privacy under Article 7 of the European Charter of Fundamental Rights. We have a fundamental right to data protection under Article 8.”

YouTube reportedly started implementing anti-adblock measures in May 2023, and in June was still describing its ad blocker detection as a “experiment.” European users have reported seeing detection messages since at least mid-October. Not every user is affected, and you’ll only see these anti-adblocker messages if you’re signed into your YouTube account.

When YouTube detects an ad blocker or other privacy tool that blocks ads as part of its functions, you'll see a warning stating that “Ad blockers violate YouTube's Terms of Service” or “Ad blockers are not allowed on YouTube.” There are a few different versions of this message, including some that entirely prevent you from playing videos and others that allow you to view a number of videos with your blocker enabled before streaming is blocked.

A pop-up asking you to turn off your ad blocker is hardly an unusual sight on the internet, but could it be against the law?

All versions of YouTube's ad blocker detection that WIRED is aware of use a JavaScript program that runs in the client browser, although YouTube says that it could use non-invasive server-side methods to identify if a video ad served to a user has not been played.

Hanff’s complaint claims that YouTube’s client-side detection code meets the description, in Article 5(3) of the ePrivacy directive 2002/58/EC, of a process used to “gain access to information stored in the terminal equipment of a subscriber or user." If that’s the case, the user must be provided with “clear and comprehensive information” about what this information will be used for and given the “right to refuse such processing.”

You'll be familiar with this process from the cookie consent forms that appear whenever a website wishes to capture non-essential information about you and your browser. Right now, neither an explicit notification nor an opt-out are displayed when YouTube obtains data about whether ad blocking tools may be active on your device or network connection.

YouTube representative Christopher Lawton tells WIRED that “ads support a diverse ecosystem of creators globally and allow billions to access their favorite content on YouTube. The use of ad blockers violate\[s\] YouTube’s Terms of Service.”

YouTube’s current terms, last updated on January 5, 2022, don’t explicitly mention the use of ad blocking tools, nor any detection measures, although a Permissions and Restrictions clause that forbids user activity to “circumvent, disable, fraudulently engage, or otherwise interfere with the Service” could be read as covering this scenario.

But Hanff, who holds an advanced master of laws in privacy, cybersecurity and data management from Maastricht University, maintains that, “under EU Consumer Protection Law, you're not legally allowed to enforce any terms in the contract which infringe on the fundamental rights and freedoms of an EU resident.” The reason cookie consent forms are so intrusive is because consent for device access can’t be bundled up with other terms and conditions.

Breyer, the German MEP, echoes Hanff’s beliefs, telling WIRED that "ad blockers protect us from illegal tracking of our online life and online harms. YouTube's terms and conditions likely violate EU law. YouTube should offer surveillance-free advertising and stop its anti-adblock campaign now."

YouTube obviously wants to make money—that server bandwidth isn't going to pay for itself. In 2022, ad-free YouTube Music and Premium had 80 million subscribers, while YouTube reported ad revenue of $7.95 billion in the third quarter of 2023 alone.

Priced at $13.99 (or €12.99 in Europe), YouTube Premium's primary benefit is ad-free video and music streaming. But if you can use an ad blocker to obtain most of the benefits of a subscription, there's little incentive to pay.

YouTube also needs its content creators to make enough money to justify their efforts. If you don't watch the ads on a video, and aren’t paying for YouTube Premium, the video you’re watching doesn't make any money for its uploader. That includes if you have ads enabled but press the “skip ad” button as soon as it appears on a skippable ad.

YouTube also reserves the right to serve ads on videos by creators who are not in the YouTube Partner Program or under a monetizing agreement, without sharing any revenue from those ads with said creators.

The arguments in favor of ad blocking range from reducing bandwidth consumption to avoiding psychologically harmful ads. (YouTube, for example, runs ads for alcohol, diets, and online casinos.) But the most compelling argument in favor of ad blocking is online security. Security researchers regard online ad networks as a key threat vector when it comes to cybersecurity, and ads on YouTube have previously been cited as serving crypto-mining malware and links to scams and pornographic content.

Most ad-blocking browser extensions look for specific file paths and filenames (such as those in the ad blocking Easylist) being called from within a page, and remove them from the version of the page that is rendered in your browser.

For example, a JavaScript program called “clever\_ads.js” (the name of a script produced by the Clever Ads advertising automation service, which embeds ads in your page) would be identified by the ad blocker and removed, along with any content it would normally load. In the case of YouTube, the ad API returned JSON files, which the ad blockers would replace.

There are a few methods of detecting whether a user is blocking ads, most of which involve another JavaScript program that checks the rendered page for evidence that ad content has been removed. A frequent approach is to have your ad-loading script also insert a JavaScript variable or an HTML element that can be checked for.

Of course, ad blockers can look for and remove the anti-adblocker scripts as well, and that’s what’s happening in the case of blocking tools, such as Adblock Plus and uBlock Origin, that regularly provide extra filters to download and add to the blocker so that it can remove the latest scripts.

But as its anti-adblocker scripts are added to the filter lists, YouTube releases updated versions of those scripts. So now there’s an adblock detection arms race going on, embodied by the “Is YouTube Anti-Adblock Fixed” website, which monitors whether the uBlock Origin browser plugin is successfully circumventing YouTube’s adblock detection or not by comparing a list of YouTube anti-adblocker script IDs with the list of script IDs that are blocked by the plugin.

Fundamentally, the EU says that random websites aren't allowed to rummage around in your stuff without permission. That’s something most people agree on. Google itself forbids Android app developers from using the QUERY\_ALL\_PACKAGES permission, describing a user's installed apps as “personal and sensitive information.”

The question facing the DPC is whether YouTube’s adblock detection scripts are invasive enough to qualify: Is downloading and running a JavaScript routine equivalent to downloading and storing a cookie?

It looks like YouTube intends to argue that it isn’t, and is emphatic that it only seeks to identify whether ads have been served but not played. When WIRED asked the company if it was using or testing server-side ad blocker detection, YouTube’s Lawton said that it was currently carrying out ad blocker detection within YouTube and not on users’ devices. That doesn’t line up with our observations or those of the ad blocker developers, as a JavaScript detection routine on a website has to be run by the browser to function.

Lawton says that YouTube “will of course cooperate fully with any questions or queries from the DPC.”

The Irish Data Protection Commissioner’s office did not provide a comment for this feature, but Hanff says that the DPC has confirmed to him that it’s investigating the case.

YouTube's Ad Blocker Detection Believed to Break EU Privacy Law

By Deeba Ahmed
GootBot: New Gootloader Variant Evades Detection with Stealthy Lateral Movement.
This is a post from HackRead.com Read the original post: IBM X-Force Discovers Gootloader Malware Variant- GootBot

The original Gootloader malware was used by numerous threat groups, including ransomware affiliates and in additional payloads like SystemBC and IcedID.

IBM X-Force has discovered a new variant of the notorious **Gootloader malware**, dubbed GootBot. This malware performs stealthy lateral movement, which complicates the detection or blocking of the campaign within enterprise networks.

According to the **blog post** authored by Golo Mühr and Ole Villadsen, the Gootloader group implements their custom bot in the latter stages of this attack chain to evade detection, using off-the-shelf tools for establishing C2 communication, such as RDP or CobaltStrike.

Gootloader malware was initially used only as an initial access tool and evolved considerably over time to include GootBot, a lightweight obfuscated PS script. It is downloaded after the Gootloader infection and receives commands via C2 through encrypted PowerShell scripts.

For your information, the Gootloader group (aka UNC2565 or Hive0127) first surfaced in 2014 and focused more on SEO poisoning techniques and compromised WordPress websites to distribute the Gootkit-based Gootloader malware. Tanium’s director of endpoint security research, Melissa Bischoping, explained how **SEO poisoning** works. 

One of the hacked websites used in delivered Gootloader malware (Image: Sophos)

“SEO poisoning drives users to malicious payloads by manipulating the search results for key terms. Most security awareness training focuses heavily on phishing and other methods where an attacker sends something to the user. There’s a false sense of security that people place in search result top rankings and an outdated mindset that the lock on the address bar means a site is safe.”

Hackread.com has been following the Gootloader group’s activities since its emergence. The group frequently targets business-related online searchers like queries about legal contracts, creating legit-looking websites, and positioning them on the first page of search results. Once the user visits the page, they entice them into downloading archive files, which appear harmless and relevant to their queries but actually contain Gootloader malware.

In March 2021, Sophos cybersecurity firm **confirmed** that Gootloader has evolved into a sophisticated loader framework from serving as an initial access point, revealing that its delivery method had expanded beyond the Gootkit malware family. As an initial access point, Gootloader malware was used by numerous threat groups, including ransomware affiliates and in additional payloads like SystemBC and IcedID.  

GootBot is a novel Gootloader variant. It is a PowerShell payload encapsulating a single C2 server address. Its strings use a replacement key to conduct mild obfuscation. The malware, just like Gootloader, sends a GET request to the C2 server, requesting PowerShell tasks, and gets a string comprising a Base64-encoded payload.

The last 8 digits of the code are the task’s name. It then decodes the payload and injects it into the script block before executing it. The payload runs asynchronously, maintaining a default beaconing interval of 60 seconds. When it receives a C2 task, the next loop iteration starts, and for completed jobs, the results are returned.

GootBot is designed for lateral movement within the network, noted X-Force researchers. Its C2 infrastructure can quickly generate numerous GootBot payloads for distribution, each having a unique C2 address, and can cause multiple infections of the same host. It also runs a reconnaissance script and contains a unique GootBot ID for the host.

This effective malware lets attackers swiftly propagate across the compromised network to deploy additional malicious software. Unlike Gootloader, GootBot spreads through infected domains to reach the domain controller. This indicates a shift in attack tactics from Gootloader operators and enhances the success rate of post-exploitation stages, including Gootloader-based ransomware affiliate activity.

The malware is capable of extracting domain user name, and OS details from the registry key, checks for x86 dir and int ptr size if 64bit architecture is detected, and obtains information about domain controllers from registry and ENV var, SID, local IP address, hostname, and running processes. The data gets formatted with the specified ID.

The emergence of the GootBot variant highlights that attackers are employing sophisticated methods to stay undetected and spread laterally across the network. Lateral-movement scripts are possible through various techniques, such as WinRM, SMB, and WinAPI calls, to spread the payload to other hosts.

Infection diagram

Organizations must implement advanced security mechanisms, including endpoint detection and response (EDR) solutions and regularly updating software to prevent the threat. Bugcrowd cybersecurity firm’s founder and chief strategy officer, **Casey Ellis**, shared the following statement with Hackread.com regarding the current Gootloader campaign.

“This all strikes me as a very organized and thoughtful initial access broker (IAB). Their watering-hole style deployment of malicious SEO isn’t particularly targeted, however, it suits the opportunistic attack model of an IAB quite well. For defenders, it’s important to remember that organized cybercrime is continuing to evolve, stratify, and mature and that the threat actor behaviours now include this type of long, wide game.”

Keeper Security’s CEO and co-founder, **Darren Guccione**, in an exclusive statement shared with Hackread.com, noted that it is hard for innocent users to distinguish between authentic and fabricated search results, which makes SEO poisoning so successful.

“Innocent people who are not trained on SEO (Search Engine Optimization) and SEO-related attack vectors, including SEO poisoning, generally focus on the aesthetics of the search results page they are familiar with such as the domain name and the logos displayed. Often, threat actors will use language like “Official Website” to lure people into clicking a dangerous link or visiting a spoofed site that can download Gootloader or other malware onto their device.”

However, some scrutiny can prove beneficial in detecting malicious websites, said Guccione. “Phony or spoofed websites will usually have a different website address than the official company name and can also use different domain extensions than the one for the legitimate website. The majority of popular websites use the domain extension .com,” explained Guccione. 

“If you visit a site, pay special attention to the domain itself and if it appears to be abnormally long or unrecognizable based on your normal search activity, it’s best to ignore it – and not click on any link. Online tools such as a Google Transparency Report can also be used to determine whether a site is safe.”

1.  Google Algorithm Updates vs SEO Strategies
2.  How Can SEO Help Increase Website Security?
3.  Google Indexed Trove of Bard AI User Chats in Search Results
4.  Ad-blocker Chrome extension AllBlock injected ads in Google searches
5.  Malicious Chrome, Edge extensions manipulating Google search results

IBM X-Force Discovers Gootloader Malware Variant- GootBot

Okta has concluded that the root cause of its breach was an employee storing company credentials in a private Google account.

Okta has revealed details about a recent breach which exposed files belonging to customers.

As we explained in our article about 1Password being a victim of this breach, it’s normal for Okta support to ask customers to upload a file known as an HTTP Archive (HAR) file. Having this file allows the team to troubleshoot issues by replicating what’s going on in the browser. As such, a HAR file can contain sensitive data, including cookies and session tokens, that cybercriminals can use to impersonate valid users.

After 1Password, BeyondTrust, and Cloudflare detected unauthorized log-in attempts to their in-house Okta administrator accounts, they reported the incidents to Okta who started an investigation.

Okta says it found that from September 28 to October 17, 2023 an attacker had unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers.

The attacker gained access using stolen credentials of a service account stored in the system itself, which had permissions to view and update customer support cases.

To gain access to that service account, the attacker compromised an Okta employee. The employee logged into the service account while they were signed in to their personal Google profile in Chrome on their Okta-managed laptop. That meant that the credentials of the service account were stored in the employee’s personal Google account.

How they got from that account into the attacker’s hands is unknown, but likely the attacker compromised that personal account or one of the employee’s devices fell into the attacker’s hands, from where they could accessed the Google account and harvested the credentials.

Once in, the attacker was able to use session tokens in the HAR files to impersonate staff and hijack the legitimate Okta sessions of five customers, including 1Password, BeyondTrust, and Cloudflare.

Okta says it has now locked down personal Google access on company-managed computers:

> “Okta has implemented a specific configuration option within Chrome Enterprise that prevents sign-in to Chrome on their Okta-managed laptop using a personal Google profile.”

In general, it’s hard to strictly separate the use of devices for work purposes— in a 2020 survey by Malwarebytes, we found that the majority of people do use work devices for personal use. When a device gets assigned to an employee, they consider it more or less as “theirs” and there’s a tendency to start using it for personal matters. Okta could have anticipated this behavior and added additional security measures for such an important account.

A remediation task that is important to note for Okta customers is:

> “Okta has released session token binding based on network location as a product enhancement to combat the threat of session token theft against Okta administrators. Okta administrators are now forced to re-authenticate if we detect a network change. **This feature can be enabled by customers in the early access section of the Okta admin portal.**”

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Tag

#google