Google Ads are used by hackers to distribute malware within legitimate software

Google Ads has been used by malware operators to distribute malicious software to innocent users looking for the most popular products in their field.

These campaigns impersonate Grammarly, MSI Afterburner and Slack.

Threat actors will clone the official sites of these projects, and then distribute trojanized software to users who click on the Download button.

This malware includes variants of Raccoon Stealer and a modified version of Vidar Stealer.

BleepingComputer recently published information on these campaigns. It revealed a which used more than 200 domains to impersonate software projects. A campaign that used infecting users with RedLine thefter is another example.

One detail that was missing from the report was however how these users came to be exposed to them. This information is now available.

Trend Micro and Guardio Labs both report that malicious sites are being promoted via Google Ad Campaigns.

Google Ads misuse

Google Ads helps advertiser promote Google Search pages, placing them higher in search results than the official site.

Users searching for genuine software will be able to see the promotion in their browsers first. They are more likely to click it since it is very similar to what they were looking for.

Google will block the campaign if it is found that the landing page is malicious. Ads are then removed. Threat actors must use a trick to get around Google’s automatic checks.

Trend Micro and Guardio claim that the trick to getting victims to click on an ad at a benign but irrelevant site is to redirect them to malicious sites impersonating the project.

Landing and rogue sites used in the campaigns

(Guardio Labs)

“As soon as targeted visitors visit those “disguised sites”, the server redirects them immediately to the rogue website and then to the malicious payload,” states Guardio Labs.

Guardio Labs: “Those rogue websites are virtually invisible to visitors not reaching the real promotional flow showing as benign, unrelated site to crawlers bots occasional visitors and, of course, for Google’s policy enforcers.”

You can download the payload in ZIP and MSI format from reputable code-hosting or file-sharing services like GitHub, Dropbox or Discord’s CDN. The victim’s anti-virus software won’t be able to object.

The malware infection flow

(Guardio Labs)

Guardio Labs claims that the threat actor lured users in November with a trojanized Grammarly version that gave Raccoon Stealer.

It was included with legitimate software. The malware was silently installed and users would receive the software they had downloaded.

focuses on an IcedID attack. It states that threat actors use the Keitaro Traffic Direction System (Keitaro Traffic Direction System) to determine if a website visitor is legitimately a victim or researcher before redirection takes place. Since 2019 .

Beware of harmful downloading

Promoted search results are tricky because they often carry the hallmarks of legitimacy. Recently, the FBI users about this kind of advertising campaign and urged them to exercise caution.

An effective way to stop these ads is to enable an ad blocker in your browser. This will filter out the promoted results of Google Search.

You can also scroll down to find the domain name of the software project that you are looking for. The official domain can be found on the Wikipedia page for the software.

It’s a good idea to bookmark the URL of any software project you frequent to get updates.

An abnormally large file is a sign the installer that you are about to download may be malicious.

The domain hosting the site is another indicator of foul play. Although it may look similar to the official website, the domain has been changed or one letter removed, a practice known as typosquatting.