Malware operators are taking advantage of the Google Ads platform to distribute malware, including Raccoon Stealer and IcedID botnet. These cybercriminals create fake copies of popular software websites in order to trick users into downloading their malicious versions.
Working Of The Campaigns:
Cyber criminals are using Google Ads to distribute malware by creating fake versions of popular software websites and tricking users into downloading trojanized versions of the applications.
- Some of the impersonated software includes MSI Afterburner, Slack, Dashlane, Malwarebytes, Grammarly, Audacity, OBS, Ring, AnyDesk, Libre Office, Thunderbird, Teamviewer, Brave, μTorrent, and more.
- The malware being spread includes Raccoon Stealer, a custom version of the Vidar Stealer, and the IcedID loader.
- The payload is often downloaded from file-sharing and code-hosting services like GitHub, Dropbox, or Discord's CDN in order to avoid detection by anti-virus programs.
A group known as Vermux has been found using a large number of masquerAds sites and domains, primarily based in Russia, to target U.S. residents' crypto wallets and GPUs.
The Google Ads allows businesses to pay for their website to appear as a sponsored result at the top of search results, potentially above the official website of the project.
If a user is searching for legitimate software without using an ad blocker, they may be directed to a promoted website that appears legitimate but is actually malicious.
In an attempt to avoid detection, the attacker may redirect the user from a genuine, but unrelated, site to a malicious site that resembles the legitimate software.
This can result in users unknowingly accessing harmful websites.