Google Search Ads are used by hackers to spread info-stealing malware

To promote malware downloads, hackers are creating fake websites to distribute open-source and free software through Google Search results.

One prominent cryptocurrency user has been victim of the hacker-hacker campaign. They claim that they were able to steal their entire digital assets and also take control over their personal accounts.

Alex, a crypto-influencer better known online as was hacked over the weekend after they launched a fake executable to the Open Broadcaster Software OBS (Open Broadcaster Software) for live streaming and video recording. They had obtained the executable from a Google search result.

Google search ad for malicious OBS Studio download


Alex posted a tweet recounting the experience of the weekend, “Nothing happened after I clicked on the EXE.” Friends alerted them a few hours later that their Twitter account was hacked.

Alex did not know that this malware was information-stealing and stole their browser passwords, cookies and Discord tokens. It also sent the wallets to remote attackers.

Alex discovered that the OpenSea NFT Marketplace account had been compromised, and another wallet listed the identity of the digital asset.

It was gone. Everything. Everything.

Alex soon discovered their Substack wallet, Gmail and Discord suffered the exact same fate, which was also controlled by hackers.

The online accounts of NFT God, a crypto influencer, were hacked


This is not an entirely new tactic, but threat actors seem to be using it more frequently. last October on a large campaign using more than 200 typosquatting domains to mislead customers.

Although the distribution method of the malware was not known at the time, separate reports from Trend Micro and Guardio in December by cybersecurity firms Trend Micro or Guardio showed that hackers had in order to distribute malicious files in search results.

Google Search Results: A flood of malign ads

BleepingComputer did its own research following NFT God’s thread and discovered that OBS was one of many software threats actors use to impersonate other threat actors in order to push malware downloads into Google Ads search results.

We found one example in a Google Ad Search result for Rufus. This is a free tool that creates bootable USB flash drives.

A threat actor created domains that look similar to the official site and then copied all of its main content, including the downloading section.

They used “pro” as their top-level domain in one instance, likely to attract victims and pique interest with promises of more program features.

Malicious Rufus download pushed via ads in Google search results

source: BleepingComputer

It is important to note that Rufus does not have an advanced version. Only one version of Rufus is available in , an executable and portable variant . It can be found on GitHub .

The malicious download is sent to a file transfer company. Many antivirus engines because it is an archive bomb.

The text editor Notepad++, which is also used to generate source code and edit the source code of popular programs was impersonated. To create an identical domain to that of the official developer, the threat actor used typosquatting.

Ad in Google Search for malicious Notepad++ download

source: BleepingComputer

Will Dormann, a security researcher, discovered that Notepad++ fake downloads were possible from other URLs. All files had been marked malicious by antivirus engines using the Virus Total scanning platform.

Malicious Notepad++ ad in Google search results


BleepingComputer found another website that contained fake software downloads. It was distributed only via Google Ads results. This website appears to impersonate Zensoft Tech, a legit web design firm in India.

We couldn’t verify whether the downloaded files were malicious, but the URL is typosquatted. The site prevents search engines from indexing the content, and promotes the downloads through search results only. This is an indication that there has been malicious activity.

We found several pieces of software on the site, including WinRAR and 7-ZIP file compression utility. Also included was the popular media player VLC.

Downloads of WinRAR and 7-ZIP that are malicious in Sponsored Ads on Google Search

Source: BleepingComputer

Threat actors sent a malicious copy of CCleaner to another domain. This utility is used for removing unwanted files from the computer and invalid Windows Registry entries.

The hackers appear to have tried to outbid legitimate developers and placed their ads at the top. The malicious advertisement displays the official CCleaner website as shown in the below image. The site provided a zip file which information-stealing spyware.

CCleaner malicious download pushed via Google ads

source: BleepingComputer

Multiple security researchers, MalwareHunterTeam and have discovered additional URLs that hosted malicious software impersonating open-source or free software. This confirms the more widespread use of sponsored search results in Google searches by cybercriminals.

CronUp, a cybersecurity firm, provides an who are spreading malware via Google Ads results. They impersonate legitimate software.

These websites look identical to the official sites and offer fake software, or redirect you to another location. Some offer Audacity, while others have VLC or GIMP image editors.

A user nearly fell for this trick while trying to obtain Blender 3D, an open-source 3D design suite. MalwareHunterTeam that there were three fake ads for the product before the link was posted by the developer.

Malicious Blender 3D downloads take top ad spot in Google search results


Will Dormann, security researcher at Bitdefender noticed in one of the malicious samples that was flagged by AV software, an .

BleepingComputer was unable to verify that the malware had been delivered in every case, but in certain cases we were able to identify the RedLine Stealer in the fake CCleaner website.

This malware steals data from your browsers (credentials and credit cards, autocomplete information), system details (usernames, locations, security software, available), as well as sensitive data (credentials, card numbers, autocomplete info),

Fernandez discovered that one threat actor had distributed SectoRAT (a.NET-based remote attack trojan), via fake Audacity downloads.

Another Vidar information-stealer was also discovered by the researcher via malign downloads of Blender 3D. This advertisement appeared in Google Search. Vidar collects sensitive information from web browsers, and may also be able to steal cryptocurrency wallets.

BleepingComputer shared these results with Google. A representative from the company told us that Google’s policies were designed to protect brands against impersonation.

We have strong policies that prohibit ads which . These include disguised identities and impersonating brands. “We reviewed these ads and removed them.” – Google

Google stated that it would check whether any additional advertisements or sites are reported as violating their policies, and will take the appropriate actions if necessary.

Protection could be increased by using Ad-blockers

The FBI has flagged the use of sponsored advertisements in search results to deliver malware channels in an issued last Christmas.

According to the agency, these advertisements are placed at the top search results pages with minimal distinction between advertisement and actual search result. They link to websites that look identical to impersonated businesses’ official website.

Cybercriminals are more likely to spread their malware among a wider audience.

It is always a good idea to check the URL of any download source. This combination with an ad blocker should make it much easier to protect yourself from this kind of threat.

Extensions for most web browsers are available that block ads from loading and being displayed on web pages, search results included.

Ad-blockers not only make the internet more convenient, but they also increase privacy. They prevent tracking cookies from being placed on advertisements that collect data about browsing patterns.

However, in this instance, extensions can make the difference between having your confidential information and online accounts blocked or being granted digital resources by legitimate vendors.