There is a dangerous trend being deployed by the global hacker community, which is abusing the Google Ads platform to distribute malicious code to unsuspecting users who are looking for software products. popular software.
It is not difficult to name some popular software products in many different fields that are being used by hackers to spread malicious code through Google Ads. For example, the cases of Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird or Brave… The threat agent will copy the official websites of software projects, and distributes various trojan versions of the software when the user clicks the download button.
Some of the malware that has been recorded successfully infecting victim systems in this way include several variants of Raccoon Stealer, customized versions of Vidar Stealer, and the IcedID malware loader. They spread through large-scale malicious campaigns, which can take place on a global scale. For example, the campaign uses a fake MSI Afterburner port to infect users with the RedLine stealer.
The question is how do hackers promote and attract users to visit the fake websites they create? That is through Google Ad ad campaigns.
Google Ads Abuse
The Google Ads platform helps advertisers promote their websites on Google Search, placing them high in the list of results as ads, usually on the official product/project website.
This means that if you search for legitimate software on a browser that doesn’t have an ad blocker, you’ll see ads related to the software first, and it’s quite possible to click on that advertised link. because it looks very similar to the actual search results.
If Google detects that the malicious landing page is advertised, it will definitely be blocked and the ad removed immediately. So the threat actors need to use a little trick to get past Google’s automated checks.
The trick is to trick victims into clicking ads to an unrelated but “benign” website created by the threat actor, then redirecting them to a malicious website that impersonates the software project and from that to the malicious payload.
Malicious payloads, in ZIP or MSI form, downloaded from reputable file sharing and code hosting services like GitHub, Dropbox, or Discord’s CDN. This ensures that any anti-virus programs running on the victim’s system will not issue any warning against the file download request. In a typical campaign observed in November, hackers lured users with a version of Grammarly’s trojan brought to the Raccoon Stealer.
With malware bundled with legitimate software. Users will still get what they need, but at the same time, malicious code will also silently install on the system.
Precautions
A simple yet effective way to block these malicious campaigns is to enable an ad blocker on your web browser. This ad blocker filters out advertised results from Google Search, keeping you from having to face them.
Another precaution is to scroll down until you see the official domain name of the software project you are looking for. If you are unsure, you can do a few more related search queries. The official domain name is listed on the software’s Wikipedia page.
If you frequently visit a particular software project’s website to source updates, you’re better off bookmarking the URL and using it to access it directly when needed.
A common sign that the installer you are about to download may contain malicious code is an unusual file size. This is also something you should pay attention to.
Source:quantrimang
