Hackers are abusing Google Ads to impersonate popular programs and deliver malware to unsuspecting victims. These attackers clone official websites and distribute trojanised versions of these programs, including the official program and malware that silently installs itself.
Here’s a complete list of the impersonated programs:
- Libre Office
- MSI Afterburner
The two major malware families distributed include the Raccoon Stealer and the IcedID malware loader. The ad for the malicious program first leads the user to a fake site, redirecting them to the actual site, which provides the malware-laced download.
Since Google Ads blocks any malicious campaigns it detects, threat actors need to get around this to reach victims. Using a fake but relatively harmless site as a landing page and then redirecting users to another malicious site seems to be working for them at the time.
The malicious site then serves the payload in a ZIP or MSI package downloaded for popular and reputed CDNs, including GitHub, Dropbox and Discord, to throw off any antivirus or screening programs installed on the victim’s computer.
Guardio Labs reported on a campaign they spotted in November using an infected version of Grammarly mixed with the Raccoon Stealer malware. The users get what they download, and the program runs as it should, except the malware also installs itself silently in the background.
A report from Trend Micro also points out that threat actors running the IcedID malware campaign used the Keitaro Traffic Direction System to identify whether the visitor was a researcher or victim before redirecting them to the malicious site.
Users without ad-blockers installed in their browsers are the most susceptible to these campaigns as Google Ads often appear right at the top of the search results on the website. The FBI has also issued a warning about such campaigns, asking users to be cautious when browsing the internet.