Users searching for popular software are being targeted by a new malvertising campaign that abuses Google Ads to serve trojanized variants that deploy malware, such as Raccoon Stealer and Vidar.
The activity makes use of seemingly credible websites with typosquatted domain names that are surfaced on top of Google search results in the form of malicious ads by hijacking searches for specific keywords.
The ultimate objective of such attacks is to trick unsuspecting users into downloading malevolent programs or potentially unwanted applications.
In one campaign disclosed by Guardio Labs, threat actors have been observed creating a network of benign sites that are promoted on the search engine, which when clicked, redirect the visitors to a phishing page containing a trojanized ZIP archive hosted on Dropbox or OneDrive.
“The moment those ‘disguised’ sites are being visited by targeted visitors (those who actually click on the promoted search result) the server immediately redirects them to the rogue site and from there to the malicious payload,” researcher Nati Tal said.
Among the impersonated software include AnyDesk, Dashlane, Grammarly, Malwarebytes, Microsoft Visual Studio, MSI Afterburner, Slack, and Zoom, among others.
Guardio Labs, which has dubbed the campaign MasquerAds, is attributing a huge chunk of the activity to a threat actor it is tracking under the name Vermux, noting that the adversary is “abusing a vast list of brands and keeps on evolving.”
The Vermux operation has mainly singled out users in Canada and the U.S., employing masquerAds sites tailored to searches for AnyDesk and MSI Afterburner to proliferate cryptocurrency miners and Vidar information stealer.
The development marks the continued use of typosquatted domains that mimic legitimate software to lure users into installing rogue Android and Windows apps.
It’s also far from the first time the Google Ads platform has been leveraged to dispense malware. Microsoft last month disclosed an attack campaign that leverages the advertising service to deploy BATLOADER, which is then used to drop Royal ransomware.
BATLOADER aside, malicious actors have also used malvertising techniques to distribute the IcedID malware via cloned web pages of well-known applications such as Adobe, Brave, Discord, LibreOffice, Mozilla Thunderbird, and TeamViewer.
“IcedID is a noteworthy malware family that is capable of delivering other payloads, including Cobalt Strike and other malware,” Trend Micro said last week. “IcedID enables attackers to perform highly impactful follow through attacks that lead to total system compromise, such as data theft and crippling ransomware.”
The findings also come as the U.S. Federal Bureau of Investigation (FBI) warned that “cyber criminals are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information.”