from Hacker News

Ars Technica used in malware campaign with never-before-seen obfuscation

by iroddis on 1/31/24, 10:56 PM with 37 comments

  • by krackers on 1/31/24, 11:12 PM

    >Devices that were infected by the first stage automatically accessed the malicious string at the end of the URL. From there, they were infected with a second stage.

    I'm guessing the only reason it is done this way is to make network activity less suspicious than if the device were to connect to some novel 3rd party domain?

  • by scosman on 1/31/24, 11:16 PM

    Good to see them reporting on it. So many publications wouldn’t.

  • by rising-sky on 1/31/24, 11:47 PM

    So in other words, this is harmless unless the target was previously infected with the malware `explore.ps1`. This URL just acts as a trigger to activate the malware? Do I have that somewhat right?

  • by hamandcheese on 2/1/24, 3:30 AM

    This seems novel in the same way that "<thing>... but on the internet" is a patentable idea.

    It seems no different in concept than a spy signaling another spy by leaving something in a public space.

  • by technion on 2/1/24, 2:08 AM

    Every time I read about a massive company ransomware event: excel macros, mimimatz, phishing

    Any time something is actually described as a novel technique: cryptominer. Ugh.

  • by AtlasBarfed on 2/1/24, 1:48 AM

    Base64 is never-before seen?

    This isn't even very advanced stenography, am I right?

    Heck, something like the network buffer datastore seems a lot more advanced.

  • by kurthr on 1/31/24, 11:27 PM

    Browse news in a throwaway VM instance that doesn't directly have password management. GoogleNews has served me several trojans, because I'm inherently clicking on unknown links. This attack was interesting, because it didn't leave Ars, but I would fear those who target HN with outlinks.

    They can serve malware only to targeted domains so you may be the only one hit.

    Even more targeted and obscured is to include several keywords in an article of interest that lead to a single controlled page optimized for search engines, which again serves targeted malware.