December 29, 2022Rabbi LakshmananOnline Security / Malvertising

Users searching for popular software are being targeted in new malvertising campaigns that abuse Google ads to deliver trojanized variants that deploy malware such as Raccoon Stealer and Vidar. increase.

The campaign relies on seemingly trustworthy websites with typosquatted domain names that appear at the top of Google search results in the form of malicious ads by hijacking searches for specific keywords. increase.

The ultimate goal of such attacks is pull the wool over eyes no doubt user For downloading malicious programs and potentially unwanted applications.

In one campaign published by Guardio Labs, the attackers created a network of benign sites that were promoted on search engines. Clicking on the site redirects visitors to a phishing page containing a trojanized ZIP archive of him hosted on Dropbox or OneDrive.

“The moment these ‘fake’ sites are visited by a targeted visitor (the one who actually clicked on the promoted search result), the server immediately redirects them to the fraudulent site, from which the malicious It redirects to a payload with a Said.

cyber security

Camouflaged software includes AnyDesk, Dashlane, Grammarly, Malwarebytes, Microsoft Visual Studio, MSI Afterburner, Slack, and Zoom.

Guardio Labs, which dubbed the campaign MasquerAds, believes it came from a threat actor it tracks under the name Vermux, who “abuses a huge number of brands and continues to evolve.”

The Vermux operation singled out users primarily in Canada and the United States, using masquerAds sites tailored to search for AnyDesk and MSI Afterburner to proliferate cryptocurrency miners and Vidar information stealers.

This development shows the continued use of typosquatted domains that mimic legitimate software to lure users into installing malicious software. android When Windows app.

It’s also not the first time the Google Ads platform has been used to deliver malware. Last month, Microsoft unveiled an attack campaign it uses to deploy his BATLOADER using advertising services to drop the Royal ransomware.

Besides BATLOADER, malicious actors also use malvertising techniques to distribute IcedID malware through clone web pages of well-known applications such as Adobe, Brave, Discord, LibreOffice, Mozilla Thunderbird, TeamViewer, etc. .

“IcedID is a notable malware family that can deliver other payloads, including Cobalt Strike and other malware,” said Trend Micro. Said last week. “IcedID allows attackers to carry out highly impactful follow-through attacks that lead to system-wide compromise, such as data theft and ransomware subversion.”

Findings are also provided by the US Federal Bureau of Investigation (FBI). warned “Cybercriminals are using search engine advertising services to impersonate brands, direct users to malicious sites that host ransomware, and steal login credentials and other financial information.”

Did you find this article interesting?Please follow us twitter When LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog