Go to listing page

Google Ads Abused to Spread Malware in Malvertising Campaign

Google Ads Abused to Spread Malware in Malvertising Campaign
Cyber threat actors are increasingly abusing the Google Ads platform to spread malware more frequently than ever before. These malvertising campaigns are targeting unsuspecting users searching for popular software products via fake websites for the same.

Working of the malvertising campaign

Hackers clone the official websites of multiple legit software projects and use those for distributing trojanized versions of the applications.
  • Some of the impersonated software products include MSI Afterburner, Slack, Dashlane, Malwarebytes, Grammarly, Audacity, OBS, Ring, AnyDesk, Libre Office, Thunderbird, Teamviewer, Brave, μTorrent, and more.
  • Malware spread to victims’ systems include Raccoon Stealer, a custom version of the Vidar Stealer, and the IcedID loader.
  • The payload (ZIP or MSI form) is downloaded from file-sharing and code-hosting services including GitHub, Dropbox, or Discord’s CDN to ensure no anti-virus programs flag the download.

A threat group named Vermux was found using large amounts of masquerAds sites and domains, serving mostly from Russia, to target U.S. residents' crypto wallets and GPUs.

Why threat actors abuse Google Ads?

The Google Ads platform allows advertisers to promote pages on Google Search results, even above the official website of the project with its paid services.
  • Users looking for genuine software on a browser without an active ad blocker are shown such promoted websites first. If it’s a malicious site, users unknowingly get trapped.
  • To avoid detection by Google or other security agencies, cyber threat actors take the victims to an irrelevant yet genuine site created by the attacker and then redirected to a malicious site impersonating the genuine software.

Conclusion

One of the best ways to block such malvertising campaigns is using an ad-blocker on a web browser; it’ll hide such promoted websites. Another safe tactic is to scroll down until a user sees the official domain of the software project they are looking for. Additionally, an abnormal file size of an installer is a sign of suspicion.
Cyware Publisher

Publisher

Cyware