"The first-stage malware delivered using poisoned search results is a bloated 128 MB Microsoft Software Installer (MSI) that, owing to its size, evades most existing online security sandboxes, while a Graphics Processing Unit (GPU)-gated decryption routine keeps the payload encrypted on systems without a real GPU. The technique has been codenamed GPUGate."
"Systems without proper GPU drivers are likely to be virtual machines (VMs), sandboxes, or older analysis environments that security researchers commonly use,"
"The executable [...] uses GPU functions to generate an encryption key for decrypting the payload, and it checks the GPU device name as it does this."
A sophisticated malware campaign leverages paid search ads to deliver malicious installers to users searching for popular tools such as GitHub Desktop. Attackers embed a GitHub commit into page URLs with altered links that resolve to attacker-controlled infrastructure and funnel victims to a lookalike domain (gitpage[.]app). The first-stage payload is a 128 MB MSI that evades many online sandboxes. A GPU-gated decryption routine named GPUGate keeps the payload encrypted on systems without a real GPU, and the executable aborts if GPU functions are unavailable or the device name is too short. The attack executes a Visual Basic Script that launches a PowerShell script.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]