Jump to content
Login new information ×
Login new information
  • Security & Privacy News

    Google ads push malicious CPU-Z app from fake Windows news site

    Karlston

    By Karlston,
    Published Date:

    • 331 views
    • 3 minutes
     Share
    • 331 views
    • 3 minutes

    A threat actor has been abusing Google Ads to distribute a trojanized version of the CPU-Z tool to deliver the Redline info-stealing malware.

     

    The new campaign was spotted by Malwarebytes analysts who, based on the backing infrastructure, asses that it is part of the same operation that used Notepad++ malvertising to deliver malicious payloads.

    Campaign details

    The malicious Google advertisement for the trojanized CPU-Z, a tool that profiles computer hardware on Windows, is hosted on a cloned copy of the legitimate Windows news site WindowsReport.

     

    CPU-Z is a popular free utility that can help users monitor different hardware components, from fan speeds, to CPU clock rates, voltage, and cache details.

     

    ad.png

    The malicious Google Ad (Malwarebytes)

     

    Clicking the ad takes the victim through a redirect step that tricks Google’s anti-abuse crawlers by sending invalid visitors to an innocuous site.

     

    Those deemed valid to receive the payload are redirected to a Windows news site lookalike hosted on one of the following domains:

     

    • argenferia[.]com
    • realvnc[.]pro
    • corporatecomf[.]online
    • cilrix-corp[.]pro
    • thecoopmodel[.]com
    • winscp-apps[.]online
    • wireshark-app[.]online
    • cilrix-corporate[.]online
    • workspace-app[.]online

     

    redirection.png

    Redirection steps (Malwarebytes)

     

    The reason behind using a clone of a legitimate site is to add another layer of trust to the infection process, as users are familiar with tech news sites hosting download links for useful utilities.

     

    fake-real.png

    Comparison between the real and the fake site (Malwarebytes)

     

    Clicking on the ‘Download now’ button results in receiving a digitally-signed CPU-Z installer (MSI file) containing a malicious PowerShell script identified as the ‘FakeBat’ malware loader.

     

    signed.png

    Digitally signed installer file (Malwarebytes)

     

    Signing the file with a valid certificate makes it unlikely that Windows security tools or third-party antivirus products running on the device will serve a warning for the user.

     

    The loader fetches a Redline Stealer payload from a remote URL and launches it on the victim’s computer.

     

    ps-payload.png

    PowerShell downloading the final payload on the host (Malwarebytes)

     

    Redline is a powerful stealer able to collect passwords, cookies, and browsing data from a range of web browsers and applications, as well as sensitive data from cryptocurrency wallets.

     

    To minimize the chances of malware infections when looking for specific software tools, users should pay attention when clicking on promoted results in Google Search and check the if the loaded site and the domain match, or use an ad-blocker that hides them automatically.

     

    Source

     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...