Users who search for popular software are being targeted by a new malvertising campaign. This effort exploits Google Ads in order to offer trojanized editions that spread malware such as Raccoon Stealer and Vidar.
This activity takes advantage of websites that appear to be reputable but have typosquatted domain names. These websites are pushed to the top of Google search results in the form of malicious advertisements by hijacking searches for particular keywords.
The end goal of these kinds of attacks is to deceive unaware users into downloading malicious software or applications that could be considered potentially harmful.
In one post that was made public by Guardio Labs, threat actors were seen creating a network of harmful websites that are promoted on the search engine. When one of these websites is visited, the visitor is redirected to a phishing page that contains a trojanized ZIP archive that is hosted on either Dropbox or OneDrive.
According to researcher Nati Tal, “The moment those ‘disguised’ sites are being visited by targeted visitors (those who actually click on the promoted search result) the server immediately redirects them to the rogue site and from there to the malicious payload,” Targeted visitors are people who actually click on the promoted search result.
AnyDesk, Dashlane, Grammarly, Malwarebytes, Microsoft Visual Studio, MSI Afterburner, Slack, and Zoom are some of the software programs that have been impersonated.
Guardio Labs, which has given the campaign the name MasquerAds, attributes a significant portion of the activity to a threat actor that it is monitoring and referring to as Vermux. Guardio Labs notes that the adversary “abusing a vast list of brands and keeps on evolving.”
In order to spread cryptocurrency miners and the Vidar information stealer, the Vermux operation has primarily focused on individuals living in the United States and Canada. This has been accomplished by using masquerAds sites that have been customized to respond to searches for AnyDesk and MSI Afterburner.
This new development indicates the persistence of the use of typosquatted names, which imitate legal software in order to trick users into installing malicious Android and Windows programs.
It is also not the first time that the Google Ads platform has been used to distribute malware; the practice is quite common. Microsoft announced last month an attack operation that uses the advertising service to spread BATLOADER, which is subsequently used to drop Royal ransomware. The disclosure came as part of the company’s monthly security update.
Aside from the BATLOADER virus, malicious actors have also utilized techniques known as malvertising to disseminate the IcedID malware through cloned web pages of popular programs like Adobe, Brave, Discord, LibreOffice, Mozilla Thunderbird, and TeamViewer.
According to a statement released by Trend Micro the previous week, “IcedID is a noteworthy malware family that is capable of delivering other payloads, including Cobalt Strike and other malware,” “IcedID enables attackers to perform highly impactful follow through attacks that lead to total system compromise, such as data theft and crippling ransomware.”
The findings come at the same time as a warning issued by the Federal Bureau of Investigation (FBI) of the United States, which stated that “cyber criminals are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information.”
