105
submitted 9 months ago by L4s@lemmy.world to c/technology@lemmy.world

Ars Technica used in malware campaign with never-before-seen obfuscation — Buried in URL was a string of characters that appeared to be random, but were actually a payload::Vimeo also used by legitimate user who posted booby-trapped content.

top 7 comments
sorted by: hot top controversial new old
[-] 18_24_61_b_17_17_4@lemmy.world 58 points 9 months ago

Ars Technica compromised. Come read the story at Ars Technica!

[-] otter@lemmy.ca 11 points 9 months ago* (last edited 9 months ago)

I guess it's less that the site was compromised, and more that someone linked an image in their account bio? It only worked on victims already infected with the first stage (not that I understand what happened there)

Waiting for the

If you saw this pizza, you(r computer) might be infected

[-] VampyreOfNazareth@lemm.ee 1 points 9 months ago

Oh shit oooops

[-] SatanicNotMessianic@lemmy.ml 11 points 9 months ago

It’s also not clear that any Ars users visited the about page.

Are weblogs not a thing? They should be able to tell how many times that page was accessed and by whom with a single query.

[-] henfredemars@infosec.pub 10 points 9 months ago

It's complicated. It's possible that their web server does have these logs but they might not go into the database, and when you're a large website you might not have logs collected centrally simply because you generate so much data.

[-] OldManBOMBIN@lemmy.world 6 points 9 months ago

Damn, that's pretty cool actually.

[-] autotldr@lemmings.world 5 points 9 months ago

This is the best summary I could come up with:


Ars Technica was recently used to serve second-stage malware in a campaign that used a never-before-seen attack chain to cleverly cover its tracks, researchers from security firm Mandiant reported Tuesday.

A benign image of a pizza was uploaded to a third-party website and was then linked with a URL pasted into the “about” page of a registered Ars user.

The campaign came from a threat actor Mandiant tracks as UNC4990, which has been active since at least 2020 and bears the hallmarks of being motivated by financial gain.

Opening the same file in a hex editor—a tool for analyzing and forensically investigating binary files—showed that a combination of tabs, spaces, and new lines were arranged in a way that encoded executable code.

The base 64 strings in the image URL or video description, in turn, caused the malware to contact a site hosting the second stage.

Anyone who is concerned they may have been infected by any of the malware covered by Mandiant can check the indicators of compromise section in Tuesday’s post.


The original article contains 675 words, the summary contains 173 words. Saved 74%. I'm a bot and I'm open source!

this post was submitted on 31 Jan 2024
105 points (98.2% liked)

Technology

59414 readers
1231 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS