Summary
Threat actors allegedly have started using combination of GoogleAds and SEO Poisoning to trick users, reroute them to the phishing websites and download trojanized version of Obsidian.
It is being recently reported on Obsidian subreddit about one of the such fake websites threat actors started abusing.
What is Obsidian?
Obsidian is a personal knowledge base and note-taking software application that operates on Markdown files. It allows users to make internal links for notes and then to visualize the connections as a graph. It is designed to help users organize and structure their thoughts and knowledge in a flexible, non-linear way. Wikipedia
Basically a very powerful note taking application with sync capabilities, plugins and publishing feature (btw, I’m using Obsidian to create this note).
Why Obsidian to trick users?
Obsidian getting more and more popular, like an advanced version of already very popular note taking application CherryTree. Especially, after the recent survey published by StackOverFlow, where they highlighted raising popularity of Obsidian. Threat actors follow the trends, that is why Obsidian has became another good phishing target.
Phishing Website Analysis
The website is crafted quite well, basically copying original website, and can easily lure users to click desired button “Download”.
The website contains three download links for Android APK, macOS DMG and Windows EXE payloads.
The website source contains few comments written in Russian, “Great Beginning” and “Great Ending” and others less noticeable comments for debugging:
This is requesting chain to download the Windows payload, which eventually leads to recently registered domain “dropsforbox[.]com”, which is hidden behind CloudFlare as other noticeable websites.
Another cool fact is that the windows payload has been changed to a different version with significant difference in the size, compare to the previous version, where lower size – newer version. Worth mentioning, the actual legitimate Obsidian installer weighs around 250 mbs.
Requesting chain to download the macOS payload looks a bit more interesting as it is gets generated dynamically and always produce different file size, different file name and hence, different hash of the payload. Moreover, the file gets downloaded from different domain – gztxbb[.]com, which also has been registered very recently and being resolved to Hetzner owned IP – 46[.]4.13.241. The main phishing website and code gets updated in the real time, the time range between screenshots is less than 8 hours.
Before the changes:
After the changes:
Requesting chain for macOS payload:
After awhile, Google Chrome started blocking downloading attempts:
Some other interesting script called by the website is located here – https://adminforbusiness[.]com/statistic/js/stat.js and has a JavaScript function displayed below:
Based on the name and the code, we can assume, this function calls other PHP script located on the domain adminnnnnxxxxx123[.]com is designated to count number of visits from the variety of multiple phishing domains as one of the arguments is “widnow.location.hostname”, which grabs the hostname of the website, where the request has been made from. The domain adminnnnnxxxxx123[.]com is also hidden behind CloudFlare, but is not accessible as the backend is currently unavailable.
The malware is allegedly an infostealer, what matches the patterns of huge variety of other similar campaigns: SEO Poisoning, GoogleAds mechanisms, impersonating popular tool.
IOCs
List of IOCs are below, consider them for retro hunting as malware infrastructure changes very frequently:
obsidianworking.com – CloudFlare – Inactive
gztxbb.com – 46.4.13.241 – Active
dropsforbox.com – CloudFlare – Active
adminnnnnxxxxx123.com – CloudFlare – Active
adminforbusiness.com – CloudFlare – Active
obsidianworking.com
gztxbb.com
dropsforbox.com
adminnnnnxxxxx123.com
adminforbusiness.com
46.4.13.241Hashes don’t make much sense, so I’ve uploaded couple of samples to VirusTotal and MalwareBazaar for further research for those, who is interested, quite weird, that Windows samples have relatively low detection rate on the VirusTotal:
Obsidian_Installer_v.3.15.exe (bigger size) – VirusTotal
Obsidian_Installer_v.3.15.exe (smaller size) – VirusTotal, MalwareBazaar
Obsidian_v.1.7.dmg (1st sample) – VirusTotal, MalwareBazaar
Obsidian_v.2.10.dmg (2nd sample) – VirusTotal, MalwareBazaar
Allegedly, Windows Infostealer is Rhadamanthys and macOS Infostealer is Atomic macOS Stealer, according to the data provided by VirusTotal and MalwareBazaar.
Conclusion
Infostealers have long posed a significant threat, but only recently have large companies begun to recognize the scale of the problem. Attackers can bypass complex security measures by using stolen legitimate credentials to access company systems, such as employee portals or VPNs. HudsonRock at the forefront of tracking infostealer-related breaches and raising awareness of the threat. To combat this, organizations should focus on educating employees about safe online practices, including the use of password managers instead of storing credentials in browsers.