Jump to content
  • Hackers abuse Google Ads to spread malware in legit software

    alf9872000

    • 467 views
    • 4 minutes
     Share


    • 467 views
    • 4 minutes

    Malware operators have been increasingly abusing the Google Ads platform to spread malware to unsuspecting users searching for popular software products.

     

    Among the products impersonated in these campaigns include Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave.

     

    The threat actors the clone official websites of the above projects and distribute trojanized versions of the software when users click the download button.

     

    Some of the malware delivered to victim systems this way include variants of Raccoon Stealer, a custom version of the Vidar Stealer, and the IcedID malware loader.

     

    BleepingComputer has recently reported on such campaigns, helping to reveal a massive typosquatting campaign that used over 200 domains impersonating software projects. Another example is a campaign using fake MSI Afterburner portals to infect users with the RedLine stealer.

     

    However, one missing detail was how users were exposed to these websites, a piece of information that has now become known.

     

    Two reports from Guardio Labs and Trend Micro explain that these malicious websites are promoted to a broader audience via Google Ad campaigns.

    Google Ads abuse

    The Google Ads platform helps advertisers promote pages on Google Search, placing them high in the list of results as advertisements, often above the official website of the project.

     

    This means that users looking for legitimate software on a browser without an active ad blocker will see promotion first and are likely to click on it because it looks very similar to the actual search result.

     

    If Google detects that the landing site is malicious, the campaign is blocked, and the ads are removed, so threat actors need to employ a trick in that step to bypass Google’s automated checks.

     

    According to Guardio and Trend Micro, the trick is to take the victims clicking on the ad to an irrelevant but benign site created by the threat actor and then redirect them to a malicious site impersonating the software project.

     

    sites(2).png

    Landing and rogue sites used in the campaigns (Guardio Labs)

     

    “The moment those “disguised” sites are being visited by targeted visitors the server immediately redirects them to the rogue site and from there to the malicious payload,” explains Guardio Labs in the report.

     

    “Those rogue sites are practically invisible to visitors not reaching from the real promotional flow showing up as benign, unrelated sites to crawlers, bots, occasional visitors, and of course for Google’s policy enforcers” - Guardio Labs

     

    The payload, which comes in ZIP or MSI form, is downloaded from reputable file-sharing and code-hosting services such as GitHub, Dropbox, or Discord’s CDN. This ensures that any anti-virus programs running on the victim’s machine won’t object to the download.

     

    flow.png

    The malware infection flow (Guardio Labs)

     

    Guardio Labs says that in a campaign they observed in November, the threat actor lured users with a trojanized version of Grammarly that delivered Raccoon Stealer.

     

    The malware was bundled with the legitimate software. Users would get what they downloaded and the malware would install silently.

     

    Trend Micro’s report, which focuses on an IcedID campaign, says the threat actors abuse the Keitaro Traffic Direction System to detect if the website visitor is a researcher or a valid victim before the redirection happens. Abusing this TDS has been seen since 2019.

    Avoid harmful downloads

    Promoted search results can be tricky as they carry all the signs of legitimacy. The FBI has recently issued a warning about this type of ad campaign, urging internet users to be very cautious.

     

    One good way to block these campaigns is to activate an ad-blocker on your web browser, which filters out promoted results from Google Search.

     

    Another precaution would be to scroll down until you see the official domain of the software project you’re looking for. If unsure, the official domain is listed on the software’s Wikipedia page.

     

    If you visit the website of a particular software project frequently to source updates, it’s better to bookmark the URL and use that for direct access.

     

    A common sign that the installer you’re about to download might be malicious is an abnormal file size.

     

    Another clear giveaway of foul play is the domain of the download site, which may resemble the official one but has swapped characters in the name or a single wrong letter, known as “typosquatting.”

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...