Users
searching
for
popular
software
are
being
targeted
by
a
new
malvertising
campaign
that
abuses
Google
Ads
to
serve
trojanized
variants
that
deploy
malware,
such
as
Raccoon
Stealer
and
Vidar.
The
activity
makes
use
of
seemingly
credible
websites
with
typosquatted
domain
names
that
are
surfaced
on
top
of
Google
search
results
in
the
form
of
malicious
ads
by
hijacking
searches
for
specific
keywords.
The
ultimate
objective
of
such
attacks
is
to
trick
unsuspecting
users
into
downloading
malevolent
programs
or
potentially
unwanted
applications.
In
one
campaign
disclosed
by
Guardio
Labs,
threat
actors
have
been
observed
creating
a
network
of
benign
sites
that
are
promoted
on
the
search
engine,
which
when
clicked,
redirect
the
visitors
to
a
phishing
page
containing
a
trojanized
ZIP
archive
hosted
on
Dropbox
or
OneDrive.
“The
moment
those ‘disguised’
sites
are
being
visited
by
targeted
visitors
(those
who
actually
click
on
the
promoted
search
result)
the
server
immediately
redirects
them
to
the
rogue
site
and
from
there
to
the
malicious
payload,”
researcher
Nati
Tal
said.
Among
the
impersonated
software
include
AnyDesk,
Dashlane,
Grammarly,
Malwarebytes,
Microsoft
Visual
Studio,
MSI
Afterburner,
Slack,
and
Zoom,
among
others.
Guardio
Labs,
which
has
dubbed
the
campaign
MasquerAds,
is
attributing
a
huge
chunk
of
the
activity
to
a
threat
actor
it
is
tracking
under
the
name
Vermux,
noting
that
the
adversary
is “abusing
a
vast
list
of
brands
and
keeps
on
evolving.”
The
Vermux
operation
has
mainly
singled
out
users
in
Canada
and
the
U.S.,
employing
masquerAds
sites
tailored
to
searches
for
AnyDesk
and
MSI
Afterburner
to
proliferate
cryptocurrency
miners
and
Vidar
information
stealer.
The
development
marks
the
continued
use
of
typosquatted
domains
that
mimic
legitimate
software
to
lure
users
into
installing
rogue
Android
and
Windows
apps.
It’s
also
far
from
the
first
time
the
Google
Ads
platform
has
been
leveraged
to
dispense
malware.
Microsoft
last
month
disclosed
an
attack
campaign
that
leverages
the
advertising
service
to
deploy
BATLOADER,
which
is
then
used
to
drop
Royal
ransomware.
BATLOADER
aside,
malicious
actors
have
also
used
malvertising
techniques
to
distribute
the
IcedID
malware
via
cloned
web
pages
of
well-known
applications
such
as
Adobe,
Brave,
Discord,
LibreOffice,
Mozilla
Thunderbird,
and
TeamViewer.
“IcedID
is
a
noteworthy
malware
family
that
is
capable
of
delivering
other
payloads,
including
Cobalt
Strike
and
other
malware,”
Trend
Micro
said
last
week. “IcedID
enables
attackers
to
perform
highly
impactful
follow
through
attacks
that
lead
to
total
system
compromise,
such
as
data
theft
and
crippling
ransomware.”
The
findings
also
come
as
the
U.S.
Federal
Bureau
of
Investigation
(FBI)
warned
that “cyber
criminals
are
using
search
engine
advertisement
services
to
impersonate
brands
and
direct
users
to
malicious
sites
that
host
ransomware
and
steal
login
credentials
and
other
financial
information.”
