Skip to content
    May 29, 2025

    Malvertising Alert: Recipe App Hijacks Credentials and Appears to Establish C&C Connection

    Over the last 2 weeks, we have observed a spike in what appears to be malvertising. Customers have noted downloading a file after clicking on a sidebar ad in a news article which then led to command and control and browser credential stealing behaviors. The advertisement and website (VirusTotal) claims to help find recipes to count calories for various food items. That said, over 80% of customers we’ve observed responding to this same event are related to the healthcare industry. 

    Additional Details

    Observations note that upon downloading the file “Recipe Lister”, the file unzips and drops another larger executable file “Recipe Finder - Recipe Lister”, followed by additional DLLs. We’ve observed consistent file paths for this output as:

    C:\Users\<user>\AppData\Local\Temp\<7-char>.tmp\7z-out
    C:\Users\<user>\AppData\Local\Temp\2w1rXpxZnwDUwuTeNvdD6FUkeI0

    This then leads to repeated network connections to suspicious or negatively reputed IP addresses (VirusTotal and VirusTotal). We’ve also noticed file creation time changes occurring, which seems consistent with timestomping behavior (T1070). Customer feedback has noted command and control traffic, followed by the stealing of browser credentials has occurred when engaging in their responses to this event. The software also appears to be utilizing NSIS plugins and appear to be related to DLL side-loading techniques (T1574 | VirusTotal Hash)

    And, finally we observe it reaching out to varying domains across the events (which are listed below). These appear odd/suspicious, and have some malicious IP reputations that are associated. These domains are also more newly registered

    Recommendations

    Overall, this software seems highly suspicious at the least. The events observed and customer feedback appear consistent with a malicious advertising campaign (T1583). Additional sandbox reports like Any.Run’s report or Joe’s Sandbox report indicate suspicious and malicious conclusions, and appear consistent with our current observations and analysis.

    We recommend blocking the following Hashes/IPs/Domains as able to do so:

    www[.]recipelister[.]com
    https[:]//ahegazedatthewond[.]org
    https[:]//manahegazeda[.]org
    https[:]//sappointedmanah[.]org
    "Recipe Lister": 1619BCAD3785BE31AC2FDEE0AB91392D08D9392032246E42673C3CB8964D4CB7
    "Recipe Finder - Recipe Lister": 9C58AACA8DDE7198240F7684B545575E4833D725D67F37E674E333EEB3EC642C
    224[.]0[.]0[.]251
    172[.]67[.]150[.]5
    104[.]21[.]57[.]122

     

    Tag(s): Security Alerts , Blog

    Taylor Jacobson

    Taylor is a Senior Security Analyst at Blumira. GIAC certified, Taylor has a background in security operations and is a passionate blue teamer, helping others make sense of and respond to evolving threats.

    More from the blog

    View All Posts