Infostealer with hVNC capability pushed via Google Ads

There has been a noted increase in malvertising via Google Ads this year, aimed at tricking users into downloading malware; among these malicious payloads is LOBSHOT, an infostealer that can also establish and keep long-term remote control of target computers through a hVNC module.

LOBSHOT infection chain (Source: Elastic Security Labs)

LOBSHOT malware infection

LOBSHOT, an infostealer and remote access trojan, is being distributed via Google Ads. The ads promote a legitimate remote desktop solution called AnyDesk, which is commonly used in enterprise settings.

Instead of directing users to AnyDesk’s official website, the URL points to a page hosted on https://www.amydecke[.]website that appears legitimate and includes a download button that takes users to an MSI installer.

Fake AnyDesk landing page for installer (Source: Elastic Security Labs)

The MSI installer launches PowerShell, downloads LOBSHOT, and then executes it with rundll32. Once LOBSHOT is running on the infected system, it checks if Windows Defender is active, and if it is, it stops execution to avoid detection.

“After LOBSHOT is executed, it moves a copy of itself to the C:\ProgramData folder, spawning a new process using explorer.exe, terminating the original process, and finally deleting the original file,” said Daniel Stepanic, senior security research engineer at Elastic.

“This design choice is used in an attempt to break the process tree ancestry; making it harder to spot for analysts.”

After successfully infecting a system, the malware starts communicating with C2 servers on hardcoded IP addresses.

Infostealer + hVNC

To achieve persistence, LOBSHOT registers a new registry key. It then starts extracting data from more than 50 cryptocurrency wallet extensions in browsers such as Chrome, Edge and Firefox.

But what makes this malware notable is its hVNC capability.

Traditional VNC (Virtual Network Computing) software allows remote access to a machine with the user’s permission; hVNC operates stealthily, enabling attackers to carry out actions on the same machine without being detected by the victim.

While LOBSHOT’s primary purpose seems to be theft of data that may lead to cryptocurrency theft, its hVNC capability may point to attackers’ other goals.

“[hVNC] modules allow for direct and unobserved access to the machine. This feature continues to be successful in bypassing fraud detection systems and is often baked into many popular families as plugins,” Stepanic added.

“[Malware like LOBSHOT have] significant functionality which helps threat actors move quickly during the initial access stages with fully interactive remote control capabilities. We are continuing to see new samples related to this family each week, and expect it to be around for some time.”