A sophisticated malware distribution campaign exploiting Google Ads tracking functionality highlights the evolving strategies cybercriminals use to infiltrate systems.
The identified malware strain is ingeniously disguised as installers for popular groupware applications like Notion and Slack. These malicious files, bearing names such as Notion_software_x64_.exe and Slack_software_x64_.exe, deceive users into believing they are legitimate software packages.
Upon installation and execution, these files initiate a series of malicious actions, including downloading additional payloads from the attacker’s servers.
One notable aspect of this campaign is the use of Google Ads tracking features to propagate the malware. By leveraging Google Ads, attackers can create seemingly legitimate advertisements that lead unsuspecting users to malicious websites. This technique is particularly deceptive as it exploits users’ trust in ads displayed by reputable platforms like Google. Cybersecurity researchers at ASEC recently exposed this campaign.
The process begins with users encountering these malicious ads while searching for keywords related to the targeted groupware, such as Notion or Slack. Clicking on these ads redirects users through a series of intermediary URLs, ultimately landing them on a malicious website designed to mimic the appearance of a legitimate groupware download page.
The redirection sequence involves multiple steps, including intermediary addresses like hxxps://pantovawy.page[.]link/jdF1/ url=https://www.notion.so/pricing%3Fgad_source%3D1&id=8, before finally leading to hxxps://notione.my-apk[.]com.
These URLs are carefully crafted to appear authentic, enhancing the deception and increasing the likelihood of users downloading and executing the malware.
Once executed, the malware employs techniques to obfuscate its activities and evade detection. It accesses malicious payload addresses hosted on platforms like tinyurl[.]com and textbin[.]net, downloading a Rhadamanthys malware (info stealer) variant into legitimate Windows system files located in the %system32% directory.
This method allows the malware to operate stealthily, potentially compromising sensitive user data without detection.
This discovery has significant implications, highlighting the need for enhanced cybersecurity measures by individuals and organisations. Cybersecurity experts advise users to exercise caution when clicking on online ads, especially those related to software downloads. They also warn to verify the legitimacy of websites and URLs before downloading any file to mitigate the risk of falling victim to such sophisticated attacks.
In the News: X to expand Communities to include X-rated content groups
