Skip to content

Hackers are using Google Ads to impersonate popular programs

  • by
  • 3 min read

Hackers are abusing Google Ads to impersonate popular programs and deliver malware to unsuspecting victims. These attackers clone official websites and distribute trojanised versions of these programs, including the official program and malware that silently installs itself. 

Here’s a complete list of the impersonated programs:

  • AnyDesk
  • Brave
  • Dashlane
  • Grammarly
  • Libre Office
  • MSI Afterburner
  • Malwarebytes
  • OBS
  • Ring
  • Slack
  • Teamviewer
  • Thunderbird
  • μTorrent

The two major malware families distributed include the Raccoon Stealer and the IcedID malware loader. The ad for the malicious program first leads the user to a fake site, redirecting them to the actual site, which provides the malware-laced download.

The campaign workflow. | Source: Guardio Labs

Since Google Ads blocks any malicious campaigns it detects, threat actors need to get around this to reach victims. Using a fake but relatively harmless site as a landing page and then redirecting users to another malicious site seems to be working for them at the time. 

The malicious site then serves the payload in a ZIP or MSI package downloaded for popular and reputed CDNs, including GitHub, Dropbox and Discord, to throw off any antivirus or screening programs installed on the victim’s computer. 

Guardio Labs reported on a campaign they spotted in November using an infected version of Grammarly mixed with the Raccoon Stealer malware. The users get what they download, and the program runs as it should, except the malware also installs itself silently in the background. 

The campaign redirects to a malicious site instead of the advertised one. | Source: Guardio Labs

A report from Trend Micro also points out that threat actors running the IcedID malware campaign used the Keitaro Traffic Direction System to identify whether the visitor was a researcher or victim before redirecting them to the malicious site. 

Users without ad-blockers installed in their browsers are the most susceptible to these campaigns as Google Ads often appear right at the top of the search results on the website. The FBI has also issued a warning about such campaigns, asking users to be cautious when browsing the internet. 

In the News: Novel spying technique uses earpiece vibrations to record phone calls

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>