Malware operators are increasingly exploiting the Google Ads platform to spread malware to unsuspecting users searching for popular software products.
Products disguised in these campaigns include Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave.
The threat clones the official website of the above project and distributes a Trojan horse version of the software when users click the download button.
Malware delivered to the victim’s system in this manner includes variants of the Raccoon Stealer, custom versions of the Vidar Stealer, and the IcedID malware loader.
BleepingComputer recently reported on such a campaign, which helped uncover a massive typosquatting campaign with over 200 domains impersonating software projects. Another example is a campaign that used a fake MSI Afterburner portal to infect users with her RedLine stealer.
However, it lacked the details of how users got to these websites. This is part of what is currently known.
Two reports from Guardio Labs and Trend Micro explain that these malicious websites are being promoted to more users via Google Ads campaigns.
Abuse of Google Ads
The Google Ads Platform helps advertisers to promote their pages on Google Search, often placing them higher in the results list as ads, above the project’s official website.
This means that users looking for legitimate software in browsers without an active ad blocker will see the promotion first and are more likely to click on it because it closely resembles real search results. means.
If Google detects that the landing site is malicious, the campaign will be blocked and the ad will be removed, so the attacker must use tricks in that step to bypass Google’s automated checks. there is.
According to Guardio and Trend Micro, the trick is to redirect victims who click on the ad to an unrelated but harmless site created by the threat actor to a malicious site disguised as a software project.
“The moment these ‘impersonated’ sites are visited by the targeted visitor, the server instantly redirects them to the malicious site and from there to the malicious payload,” Guardio Labs reports. I’m explaining.
“These fraudulent sites are virtually invisible to crawlers, bots, occasional visitors, and of course to visitors who do not come from the actual promotion flow, which appears as harmless and irrelevant sites to Google’s policy enforcers. N’ – Guardio Labs
The payload in ZIP or MSI format is downloaded from reputable file sharing and code hosting services such as GitHub, Dropbox and Discord’s CDN. This ensures that no antivirus program running on the victim’s machine will object to the download.
Guardio Labs says that in a campaign it observed in November, attackers lured users with a Trojanized version of Grammarly that delivered the Raccoon Stealer.
Malware was bundled with legitimate software. The user gets what they download and the malware is silently installed.
A report by Trend Micro focused on the IcedID campaign found that attackers exploited the Keitaro Traffic Direction System to determine whether website visitors were researchers or legitimate victims before redirection took place. detect. This TDS exploit has been observed since 2019.
Avoid harmful downloads
Promoted search results carry all the signs of legitimacy, so be careful. The FBI recently issued a warning about this type of advertising campaign, urging Internet users to be very careful.
One good way to block these campaigns is to enable an ad blocker in your web browser. This excludes advertised results from Google Search.
Another precaution is to scroll down until you see the official domain of the software project you are looking for. If you’re not sure, the Wikipedia page for the software lists the official domains.
If you frequently visit a particular software project’s website to obtain updates, we recommend that you bookmark the URL for direct access.
A common indication that the installer you are trying to download may be malicious is an unusual file size.
Another obvious piece of evidence of foul play is the domain of the download site. It may look like the official one, but the letters in the name have been swapped or one wrong letter known as “typosquatting”.