Malicious ads enable crypto drainer theft of $59M
Cryptocurrency wallet drainer MS Drainer distributed via malicious ads on Google and X, formerly Twitter, has exfiltrated $59 million from more than 60,000 victims since March, with malicious activity peaking in May, June, and November, according to BleepingComputer.
Threat actors have embedded MS Drainer within ads displayed when searching for various decentralized finance platforms on Google Search, many of which have URLs seemingly from an official domain of the spoofed site made possible by leveraging the tracking template issue in Google Ads, a ScamSniffer report showed. Meanwhile, more than 60% of phishing ads on X were found to promote MS Drainer, many of which were from verified accounts. Various themes have been leveraged by threat actors in their ads, including a supposedly limited edition non-fungible token collection from Ordinals Bubbles. Similar ads have been observed by MalwareHunterTeam, who noted that various X accounts may have had their passwords and authentication cookies compromised following a malware infection.
Impacted by different levels of log disruption were Microsoft Entra, Microsoft Sentinel, Azure Logic Apps, Azure Monitor, Azure Healthcare APIs, Azure Trusted Signing, Azure Virtual Desktop, and Power Platform, according to Microsoft.
Attacks involved the display of fraudulent Google Meet popup alerts, which would download the StealC or Rhadamanthys infostealers for Windows users and the AMOS Stealer payload for macOS users, according to a Sekoia analysis.
Malicious spear-phishing messages have been leveraged by RomCom to distribute the MeltingClaw or RustyClaw downloaders for the ShadyHammock and DustyHammock backdoors, respectively, with the latter facilitating the delivery of the SingleCamper trojan.