A malvertising campaign is using the Invalid Printer loader to drop the Aurora information stealer.
Malicious ads trigger a fake Microsoft Windows update which presents the victim with a bogus Chrome update.
Before dropping the payload Invalid Printer first performs a range of checks to confirm the malware is not running in a VM or sandbox.
SkyWatchSM Alert Legend
Glesec Information Sharing Protocol
GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).
Disclosure is Not Limited.
Limited Disclosure, Restricted Only to the Community.
Limited Disclosure, restricted to the Participant's Organization.
Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.