The DEV-0569 threat actor is actively utilizing Google Ads to launch large-scale and continuous advertising campaigns that spread malware, obtain victims' passwords, and ultimately infiltrate networks for the purpose of conducting ransomware attacks. 

Google search results have become a breeding ground for cybercriminals to spread malware through malicious ads, which pose a significant threat to users. This issue is becoming increasingly common, as many cybercriminals are using malicious ads to trick users into downloading malware or giving away personal information.

Diving into details

Malicious ads on Google search results are being used by DEV-0569 to trick users into visiting fake websites impersonating popular software programs.
  • Some of the top programs impersonated by adversaries are Rufus, 7-Zip, FileZilla, LightShot, AnyDesk, LibreOffice, VLC, Awesome Miner, WinRAR, and TradingView.
  • When users click on the download links, they may unknowingly download an MSI file that installs various types of malware, depending on the campaign.
  • The malware delivered to systems include RedLine Stealer, Vidar, Gozi/Ursnif, Cobalt Strike, and ransomware.

Abusing Google Ads invites

Threat actors are exploiting the Google Ads invites to send bulk email messages promoting spam and adult websites to users who may not have otherwise interacted with Google advertising platforms.
  • A recent and widespread campaign has been observed where the attackers use the Google Ads admin interface to send email invitations that, because they come from Google, are able to bypass recipients' spam filters.
  • The URLs included in these invite emails ultimately redirect users to suspicious websites that promote adult dating sites, designed to collect personal information from visitors.

The bottom line

Threat actors are constantly launching new ad campaigns and new sites making it difficult to keep up. Such malicious campaigns by cybercriminals may allow them to gain initial access to corporate networks, resulting in data theft, ransomware infection, and other destructive attacks. Users are urged to be careful while downloading apps and programs of their choice.
Cyware Publisher

Publisher

Cyware