Security Affairs
GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Adware Campaign borrows Obfuscation Techniques from Operation Aurora attack

Experts from Carbon Black have spotted a new Adware campaign leveraging on sophisticated obfuscation techniques borrowed from Operation Aurora. Security experts from Carbon Black have spotted a new Adware campaign leveraging on very sophisticated obfuscation techniques. The Adware campaign was used by crooks to spread ransomware and according to the malware researchers using tactics to similarities to the […]

Adware Campaign borrows Obfuscation Techniques from Operation Aurora attack

Experts from Carbon Black have spotted a new Adware campaign leveraging on sophisticated obfuscation techniques borrowed from Operation Aurora.

Security experts from Carbon Black have spotted a new Adware campaign leveraging on very sophisticated obfuscation techniques.

The Adware campaign was used by crooks to spread ransomware and according to the malware researchers using tactics to similarities to the nation-state attack known as Operation Aurora.

Carbon Black published a report that detailed the complex obfuscation techniques implemented by threat actors behind the campaign.
“Earlier this week, Carbon Black, in conjunction with the Cb User Exchange Community, discovered anomalies related to well-known Adware variants, including OpenCandy and Dealply, and trojanized Chromium, using highly sophisticated evasion techniques (previously observed by Carbon Black associated with nation-state attacks — specifically Operation Aurora, which targeted major companies including Google, Adobe, etc).” reads the report published by Carbon Black”These obfuscation techniques easily evade sandboxing and other intrusion detection techniques due to Binary Fragmentation. “
As explained in the post, the first clue was spotted by the experts casually when the customer noticed unusual use of command line argument activity that was specific of the Operation Aurora attack.  The attack was known as “cmdline:cop AND cmdline:/b” as explained in the report.

“Just for fun, I asked my customer to the run the query: cmdline:copy AND cmdline:/b. Cb Response showed they had three hits. I bolted upright in my chair. Three years ago, I stumbled upon this attack vector and I’d never seen it since… until last week.” continues the report.

“As we began to triage the event, we began to see .dat files being joined to form all sorts of unusual file types including .txt, .png, .log, .ico, & .dll files. It was highly irregular”

operation aurora like-attack

“So, now for the ‘stranger’ part. As we began to walk backward up the process tree, we began noticing that the parent processes launching these rather advanced obfuscation techniques were ‘routine’ adware, flagged multiple times by Virus Total.” 

The experts from Carbon Black received other similar support requests from their customers that experienced the same attack. According to the malware researchers, the victims from several industries were targeted by variants of adware used to deliver the Enigma ransomware.

According to the lead of the Advanced Consulting Team for Carbon Black, Benjamin Tedesco, the obfuscation techniques borrowed by the Operation Aurora were able to easily evade sandboxing and other detection mechanisms.

Once compromised the target machine, the malware used in the campaign was able to drop more payloads to perform other malicious activities.

This campaign is the demonstration that even behind an adware campaign, it is possible to find a very sophisticated threat.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Adware, Hacking)