A new malvertising campaign is targeting users who are searching for popular software by using Google Ads to serve trojan variants that can deploy malware, such as Vidar and Raccoon Stealer. This campaign abuses the trust that users have in Google Ads to deliver malicious software that can cause harm to their devices. It is important for users to be cautious when clicking on ads and to ensure that they have reliable security software installed on their devices to protect against these types of threats.
This new cyber attack is using seemingly credible websites with typosquatted domain names to appear on top of Google search results in the form of malicious ads. These ads are able to hijack search results for specific keywords and trick users into clicking on them.
When users click on these ads, they are redirected to malicious websites that can install malware on their devices or to trick unsuspecting users into downloading malevolent programs or potentially unwanted applications.
According to Guardio Labs, a new campaign has been observed where threat actors are creating a network of seemingly benign sites that are promoted on search engines, which when clicked, redirect the visitors to a phishing page containing a trojanized ZIP archive hosted on Dropbox or OneDrive.
"The moment those 'disguised' sites are being visited by targeted visitors (those who actually click on the promoted search result) the server immediately redirects them to the rogue site and from there to the malicious payload," researcher Nati Tal said.
It has been reported that threat actors are impersonating popular software in this new attack, including AnyDesk, Dashlane, Grammarly, Malwarebytes, Microsoft Visual Studio, MSI Afterburner, Slack, and Zoom among others.
Guardio Labs has uncovered a new campaign, which it has dubbed MasquerAds, that is being attributed to a threat actor known as Vermux. This adversary is "abusing a vast list of brands and keeps on evolving."
The Vermux operation has primarily targeted users in Canada and the U.S., using masquerAds sites that are tailored to searches for AnyDesk and MSI Afterburner to spread cryptocurrency miners and Vidar information stealer malware. These sites and advertisements are designed to appear legitimate and trick users into visiting phishing pages or downloading malware.
Threat actors are continuing to use typosquatted domains that mimic legitimate software to trick users into installing rogue Android and Windows apps.
This is not the first time that the Google Ads platform has been used to
dispense malware. In fact, just last month, Microsoft disclosed an
attack campaign that leveraged the advertising service to deploy
BATLOADER, which was then used to drop Royal ransomware. This highlights
the importance of being cautious when clicking on ads and of having
reliable security software installed on devices to protect against these
types of threats. It is also recommended to verify the credibility of a
website before entering any personal information or downloading any
files.
In addition to BATLOADER, malicious actors have also used malvertising
techniques to distribute the IcedID malware through cloned web pages of
popular applications such as Adobe, Brave, Discord, LibreOffice, Mozilla
Thunderbird, and TeamViewer.
According to Trend Micro, "IcedID is a noteworthy malware family that is capable of delivering other payloads, including Cobalt Strike and other malware." This type of malware is highly dangerous because it enables attackers to perform follow-through attacks that can lead to total system compromise, such as data theft and ransomware attacks.
A recent report has revealed that cyber criminals are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information. This warning was issued by the U.S. Federal Bureau of Investigation (FBI), highlighting the importance of being cautious when clicking on ads and of having reliable security software installed on devices to protect against these types of threats. It is also recommended to verify the credibility of a website before entering any personal information or downloading any files.