- Attackers use fake Fortinet dialogs and social engineering to trick users into running malware
- Cache smuggling hides malware in browser cache, bypassing PowerShell download and detection tools
- The malware is extracted from fake image files and deployed as FortiClientComplianceChecker.exe
Experts have said hackers are using a combination of social engineering, cache smuggling, identity theft and simple bluffing to bypass common security protections and deploy malware to victims’ computers.
Security researchers Expel, as well as an independent researcher with the alias P4nd3m1cb0y, observed websites purporting to be a Fortinet VPN “Compliance Checker” pop-up dialog.
There appears to be no such thing, other than the ability to configure the FortiClient compliance profile within FortiOS. In any case, that dialog box instructs the victim to copy what appears to be a path to a file installed on the hard drive and paste it into File Explorer.
Used by ransomware actors
In reality, the path is padded with more than 100 spaces to hide its true purpose: to execute a PowerShell command. At the same time, the phishing website executed JavaScript that instructed the browser to fetch an image and cache it in the file system. This file is not a real image, but hidden malware.
“This technique, known as cache smuggling, allows malware to bypass many different types of security products,” the researchers explained.
“Neither the web page nor the PowerShell script explicitly downloads any files. By simply letting the browser cache the fake ‘image’, the malware can obtain a complete zip file on the local system without the PowerShell command having to make any web requests.”
“As a result, any tool that analyzes downloaded files or looks for PowerShell scripts that make web requests will not detect this behavior.”
The script then scans each cache file for content that is actually a .ZIP file stored in the fake image and extracts it to FortiClientComplianceChecker.exe, the real malware. There was very little said about who the attackers or victims were, but apparently some ransomware actors have already started implementing this tactic in their attacks.
Through beepcomputer
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
