Hackers Use Google Ads Massively to Deliver Malware Payloads

Hackers have become more sophisticated in their use of Google Ads. They have been exploiting the platform for spreading malware to unsuspecting users when searching for reputable software products or other tools.

As part of this campaign, impersonations of the following products were made:-

• Grammarly
• MSI Afterburner
• Slack
• Dashlane
• Malwarebytes
• Audacity
• μTorrent
• OBS
• Ring
• AnyDesk
• Libre Office
• Teamviewer
• Thunderbird
• Brave

Malware Delivered Via Google Ads

Threat actors clone the official websites of these software projects, and when users click the download button, malicious versions of the software are distributed to the user.

This can result in the delivery of a variety of malware variants such as the following:-

• Raccoon Stealer
• A custom version of the Vidar Stealer
• IcedID malware loader

As a result of a massive typosquatting scam, hundreds of domains impersonating software projects have been identified recently.

In an additional instance of the RedLine stealer infecting users with malicious software, fake MSI Afterburner portals are used to spread the infection.

This was a piece of information that was lacking, namely how users were exposed to these websites, and this is now something that experts are now able to uncover.

Abusing Google Ads

It has been found that marketing campaigns via Google Adwords are often utilized to promote these malicious websites to a wider audience according to the security researchers at Guardio Labs and Trend Micro.

Advertisers can promote their pages on Google Search through Google AdWords, which places them at the top of the list of results as advertisements.

Moreover, the official website of a project is often flanked by advertisements that appear above the page.

The promotion will appear in front of users looking for legitimate software in a browser without an active ad blocker, in short, this will be more visible to them. 

This typically leads to people clicking on it because it appears to be very similar to the actual search results, so they are more likely to click on it.

Google will block campaigns that have been detected to contain malicious landing pages, as well as remove the ads that are associated with the campaign.

Thus, to bypass Google’s automated checks, threat actors must use a trick in that step in order to achieve their objectives.

By clicking on the ad, the threat actor is able to redirect victims to a benign but irrelevant website that is created by the threat actors themselves. In the next step, please direct them to a malicious website impersonating the project’s website.

There are several reputable file-sharing and code-hosting sites that deliver the payload in ZIP or MSI format, and they include:- 

• GitHub
• Dropbox
• Discord’s CDN

By doing so, it ensures that any anti-virus programs on the victim’s computer will not block it from doing its job.

It is important to note that the “masquerAd” site that was not visible to Google and to the visitor who will never see it has been forwarded to the server side.

During the installation of legitimate software, the malware was included as part of the package. There would be a silent installation of malware and users would get what they downloaded.

It can be tricky to determine whether targeted search results are trustworthy since they carry all the appearances of legitimacy.

Activating an ad-blocker on your web browser is one good way to block these campaigns since it filters out certain results from Google Search that are promoted to you.

It would be better to bookmark a URL of the website you frequent so that you can access it directly when you need to source updates for a particular software project.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book