A new malware variant called PLAYFULGHOST has been discovered that is being distributed via phishing emails and websites that appear high in search engine listings through black hat search engine optimation (SEO) tactics.
PLAYFULGHOST was analyzed by Google’s Mandiant Managed Defense team, which confirmed the malware had extensive information-stealing capabilities. They include keylogging, taking screenshots, recording audio, copying information from the clipboard, stealing QQ account information, and collecting information on the installed security solutions and system metadata. The malware can also block mouse and keyboard inputs, clear Windows event logs, delete caches and profiles from web browsers, erase profiles and delete local storage for messaging apps, and the malware has file transfer capabilities and can download additional payloads. The malware achieves persistence in four ways –registry keys, scheduled tasks, establishing itself in a Windows service, and through entries in the Windows Startup folder. In short, PLAYFULGHOST is a highly capable and very dangerous new malware variant.
An analysis of the distribution methods identified SEO poisoning, where websites are promoted so they appear high in the search engine listings for search terms related to Virtual Private Network solutions, including the legitimate LetsVPN solution. If a user visits the webpage, they can download the LetsVPN installer; however, it has been trojanized to silently load PLAYFULGHOST in the memory via an interim payload. Phishing is also used to distribute the malware. While multiple lures could be used in this campaign, intercepted emails had code-of-conduct-related lures to trick the recipient into opening a malicious RAR archive that includes a Windows executable file that downloads and executes the malware from a remote server.
If infected with the malware, detection can be problematic since the malware runs in the memory, and multiple persistence mechanisms can make malware removal challenging. It is vital that infection is prevented and that requires multiple measures since the malware is distributed in different ways. To protect against malware delivery via SEO poisoning and malvertising, businesses should use a web filter and provide regular security awareness training to the workforce. The WebTitan DNS filter is a web filtering solution that protects against web-delivered malware in a variety of ways. WebTitan is fed extensive up-to-the-minute threat intelligence on malicious websites and domains and will prevent users (on and off the network) from visiting those malicious websites. That includes visits to websites through web browsing and redirects through malvertising.
WebTitan can be configured to block certain downloads from the Internet by file extension, such as installers and other executable files. In addition to preventing malware delivery, this feature can be used to control shadow IT – software installations that have not been authorized by the IT department. WebTitan can also be used to control the web content that employees can access, by blocking access to web content that serves no work purpose along with risky categories of websites.
Security awareness training is vital for making employees aware of the risks of malware downloads from the Internet. Employees should be instructed not to download software from unofficial websites, warned of the risks of malvertising, and told not to trust a website simply because it is positioned high in the search engine listings. Employees should also be warned of the risk of phishing, be taught how to identify a phishing attempt, and be conditioned to report suspicious emails to their security team. A phishing simulator should also be used to reinforce training and identify individuals who are susceptible to phishing so they can be provided with additional training. TitanHQ’s SafeTitan security awareness training and phishing simulation platform makes this as easy as possible, automating the delivery of training and phishing simulation exercises.
TitanHQ offers two powerful anti-phishing solutions – PhishTitan for Microsoft 365 users and SpamTitan anti-spam software. Both are powered by the same advanced engine that was recently assessed by VirusBulletin, and confirmed to block 100% of malware, 100% of phishing emails, and 99.999% of spam emails in Q4 tests. The incredibly strong performance earned TitanHQ top spot out of all the leading solutions under test. The strong anti-malware performance was due to twin (signature-based) antivirus engines and cutting-edge behavioral protection with email sandboxing.
With new, stealthy malware variants constantly being released, and cybercriminals developing highly sophisticated AI-based phishing campaigns, businesses need to ensure they have cybersecurity solutions capable of identifying and blocking the threats. With TitanHQ as your cybersecurity partner, you will be well protected against ever-evolving cyber threats. Give the TitanHQ team a call today for further information on bolstering your malware and phishing defenses or put these solutions to the test in a free trial.