 |
| Hackers use Google Ads to spread malware in popular programs |
Malware operators are increasingly misusing the Google advertising platform (Google Ads) to distribute their software to users who search for popular software through the Google search engine.
Rogue software in these campaigns includes Grammarly, Slack, µTorrent, OBS, AnyDesk, AnyDesk (Teamviewe), office suites (Libre Office), browsers (Brave), and others.
In these campaigns, attackers clone the official websites of the aforementioned products in order to distribute malicious versions of the software when users click the download button. Malware downloaded to victims' systems in this way included Raccoon Stealer variants, customized versions of Vidar Stealer, and the IcedID malware loader, among others.
Two reports by information security firms Guardio Labs and Tren Micro revealed a massive campaign of magic attacks using more than 200 domains to impersonate popular software. In this campaign, malicious websites are exposed to a wider audience through Google Ads campaigns.
It should be noted that the Google Ads platform helps advertisers promote pages in the Google search engine, placing them as ads at the top of the results list and often above the official website of the project.
This means that users who are searching for legitimate software in a browser without an active ad blocker will see ads first and are more likely to click on them because they look more like the actual search result.
If Google detects that the landing page is malicious, it will block the campaign and remove the ad. So attackers must use tricks at this point to circumvent Google's automated verifications.
According to Guardio and Trend Micro, the trick is to direct victims who click the ad to an unrelated but harmless website created by the attackers, which then redirects them to a malicious website posing as a software component.
(Guardio Labs) explained in the report: “The moment the target user visits these hidden pages, the server immediately redirects them to the fraudulent page and from there to the malicious payload. The payload comes in the form of a ZIP file or an executable file (MSI) and then is Download them from popular file-sharing and code-hosting services such as GitHub, Dropbox, or a Discord CDN.This ensures that no antivirus software running on the victim's computer is blocking the download.
In an attack last November, Guardio Labs said attackers downloaded a copy of Grammarly containing the Raccoon Stealer malware onto users' computers. Since the malware is embedded in legitimate software, it must be installed on the victim's device in order for it to be detected.
A Trend Micro report focusing on IcedID activity notes that threat actors are abusing Keitaro's traffic routing system to detect whether a website visitor is a security researcher or a casual victim before redirecting them. As of 2019, the traffic control system is faulty.
Featured search results can be misleading because they contain all the hallmarks of legitimacy. The FBI recently issued a warning about such ad campaigns and urged internet users to be extra careful.
A good way to prevent these activities is to activate an ad blocker in your web browser, which filters results advertised by the Google engine. Another precaution is to scroll down to view the official domain for the piece of software you're looking at. If a user frequently visits a particular site, it is recommended to bookmark it for direct access to it in the future.
A common sign that an installer a user is attempting to download is malicious is unusual file size, as well as misspelled names, which can be obvious.