Mokes and Buerak Malware Disguised as Security Certificate Updates on Websites

While the method of distributing malware by making it look like a real software update is not new, threat actors are using a new twist to this method, trying to pass off the Buerak and Mokes malware on compromised sites by making it look like a certificate has expired. Several websites across different industries have been compromised and used to deliver malware with this method since the earliest detection on January 16th, 2020. A jquery.js script is used to overlay an iframe that is the same size as the original page, so instead of seeing the page they are used to, users will see a banner urging them to install a certificate update. The contents of the iframe are loaded from the attacker’s web server at the domain name ldfidfa[.]pw. If the install button is clicked, it will initiate the download of a file named Certificate_Update_v02.2020.exe, which was detected as Exploit.Win32.ShellCode.gen. Further analysis revealed the file as Downloader.Win32.Buerak, packed using Nullsoft Scriptable Install System. Mokes was also seen being distributed in a very similar campaign back in January, so the malware being used is not limited to one. Command and Control (C2) servers observed in the campaign include kkjjhhdff[.]site (47.245.30[.]255) and oderstrg[.]site.