Skip to content
supertechspain.com
Menu
  • Gadgets
  • Graphic Design
  • Network
  • Programming
  • Software
  • Technology News
Menu

New Malvertising Campaign via Google Ads Targets Users Searching for Popular Software

Posted on 02/01/2023

Dec. 29, 2022Ravie LakshmananOnline Security / Malvertising

Users searching for popular software are being targeted by a new malvertising campaign that abuses Google Ads to serve trojanized variants that deploy malware, such as Raccoon Stealer and Vidar.

The activity makes use of seemingly credible websites with typosquatted domain names that are surfaced on top of Google search results in the form of malicious ads by hijacking searches for specific keywords.

The ultimate objective of such attacks is to trick unsuspecting users into downloading malevolent programs or potentially unwanted applications.

In one campaign disclosed by Guardio Labs, threat actors have been observed creating a network of benign sites that are promoted on the search engine, which when clicked, redirects the visitors to a phishing page containing a trojanized ZIP archive hosted on Dropbox or OneDrive.

“The moment those ‘disguised’ sites are being visited by targeted visitors (those who actually click on the promoted search results) the server immediately redirects them to the rogue site and from there to the malicious payload,” researcher Nati Tal said.

CyberSecurity

Among the impersonated software include AnyDesk, Dashlane, Grammarly, Malwarebytes, Microsoft Visual Studio, MSI Afterburner, Slack, and Zoom, among others.

Guardio Labs, which has dubbed the campaign MasquerAds, is attributing a huge chunk of the activity to a threat actor it is tracking under the name Vermux, noting that the adversary is “abusing a vast list of brands and keeps on evolving.”

The Vermux operation has mainly singled out users in Canada and the US, employing masquerAds sites tailored to searches for AnyDesk and MSI Afterburner to proliferate cryptocurrency miners and Vidar information stealer.

The development marks the continued use of typosquatted domains that mimic legitimate software to lure users into installing rogue Android and Windows apps.

It’s also far from the first time the Google Ads platform has been leveraged to dispense malware. Microsoft last month disclosed an attack campaign that leverages the advertising service to deploy BATLOADER, which is then used to drop Royal ransomware.

BATLOADER aside, malicious actors have also used malvertising techniques to distribute the IcedID malware via cloned web pages of well-known applications such as Adobe, Brave, Discord, LibreOffice, Mozilla Thunderbird, and TeamViewer.

“IcedID is a noteworthy malware family that is capable of delivering other payloads, including Cobalt Strike and other malware,” Trend Micro said last week. “IcedID enables attackers to perform highly impactful follow through attacks that lead to total system compromise, such as data theft and crippling ransomware.”

The findings also come as the US Federal Bureau of Investigation (FBI) warned that “cyber criminals are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information.”

Found this interesting article? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Recent Posts

  • Federal court strikes down Biden’s student loan forgiveness program
  • A Compiler Writing Playground
  • A new rule for those involved in federal acquisition
  • Celsius Network defaults on payments to Core Scientific, causing financial unrest
  • NSA Urges Organizations To Shift To Memory Safe Programming Languages

Archives

  • January 2023
  • December 2022
  • November 2022
  • October 2022

Categories

  • Gadgets
  • Graphic Design
  • Network
  • Programming
  • Software

About Us

  • Contact Us
  • Advertise Here
  • Disclosure Policy
  • Sitemap

Partner Links

Partner Links

Support Links

©2023 supertechspain.com | Design: Newspaperly WordPress Theme