·10 min read
Guardio has been tracking, for several months now, one of the biggest malware spreading campaign ever seen targeting as high as hundreds thousand users per day! In this write-up we will share insights and detailed analysis on how exactly those bad actors managed to spread and deploy this army of infected computers, shifting and altering their deceptive malvertising operation along the way to optimize and elude conventional detection methods and mechanisms.
ISOtonic – Quick Facts:Daily Downloaded Malware Files: ~400,000Infected devices per day: ~20,000–40,000Total Infected Devices (as of 09/22) : ~3,000,000 (!)Malicious Payload: Chrome/NW.js based malware loaderPayload Container: ISO FilesFirst sighting: January 2022Geographical Distribution: Mostly USATop Target Segmentation: Gaming, Streaming, Software Cracks, AdultPropagation Methods: MalvertisingEarly Sighting
As early as January 2022 we first observed a very heavily downloaded ISO file with the same Modus Operandi. ISO Files — archive files used to duplicate data from disk drives — are heavily abused lately by bad actors as containers for malevolent program bundles. In this campaign, the filename was changing and so did the final size and hash signature of the ISO archive, yet it was quickly unveiled using our data and behavioral analysis that these suspicious files originated from the same bad actor. Not only downloaded from a common list of freshly registered domains but also propagating using very similar malvertising campaigns leveraging the originating sites’ metadata about visitors to manipulate and deceit.
Adding to the above, the magnitude of the phenomena — an