Ars Technica, the beloved tech news website, was recently used as a pawn in a devious malware campaign. Yes, you read that right. Ars Technica, a site known for its insightful articles and commentary on all things tech-related, became an unwitting accomplice in spreading malicious software.
It all started innocently enough with an image of a pizza being uploaded to a third-party website. Little did anyone know that this seemingly harmless picture would be used to execute the first stage of the dastardly plan. The URL linked to this innocent pizza image was then cleverly pasted into the “about” page of an unsuspecting registered user on Ars Technica’s platform.
But wait, it gets even more diabolical! The campaign also targeted Vimeo by uploading a benign video with a malicious string cunningly included in the video description using Base 64 encoding. For those not familiar with Base 64 encoding (which is probably most people), it’s essentially a way of converting text into printable ASCII strings to represent binary data – because who doesn’t love some good old-fashioned binary data?
Mandiant researcher Yash Gupta described this novel attack chain as “a different and novel way we’re seeing abuse that can be pretty hard to detect.” Well played, malware creators. You managed to pull off something truly unique and interesting…if only your creativity could have been put towards more positive endeavors!
The nefarious image posted on Ars appeared in the about profile of an innocent user who created their account on November 23rd – little did they know what chaos they were inadvertently unleashing upon the world! An Ars representative confirmed that the photo depicting everyone’s favorite cheesy delight (the pizza) was promptly removed after being tipped off by email from an unknown party.
Now let’s talk about these images for just one moment – I mean come on – do you really think anyone would suspect them? One showed nothing but pure deliciousness while another had such random characters hidden within it that no one would ever notice anything amiss until it was too late!
Fortunately for any potential victims out there (or should we say ‘pizza lovers’), Mandiant researchers assured us there were no consequences if someone happened to view these images or videos during their internet wanderings. It seems like our digital detectives are always looking out for us – thank goodness!
As if infecting devices through sneaky URLs wasn’t enough fun already, Mandiant revealed that UNC4990 – yes folks, they even gave themselves their own special name – has been active since at least 2020 and appears motivated by financial gain (because isn’t greed just so charming?). This group previously utilized GitHub and GitLab as part of their shenanigans.
And here comes another plot twist: initially transmitted via infected USB drives (yes those still exist!), explorerps1 made its grand entrance onto infected devices before automatically reaching out either through suspicious text files or URLs plastered across reputable websites like yours truly – oh joy! These base 64 strings caused quite the commotion leading up to Emptyspace making its debut appearance as well.
In case you’re wondering what happens next in this gripping tale – brace yourself because there’s even more excitement coming your way! A third stage quietly lurks behind-the-scenes waiting patiently until instructed by its command-and-control server when suddenly…well actually nothing much happened except installing cryptocurrency miners which is kind-of boring considering everything else going on.
So dear reader(s), if you fear becoming entangled in such devious schemes concocted by these mischievous cyber-criminals covered by Mandiant; fret not! Just check Tuesday’s post where all will be revealed including indicators of compromise section along with other delights awaiting discovery.
Oh what tangled webs we weave when first we practice malice online…
Ars Technica used in malware campaign with never-before-seen obfuscation