Cybercriminals have turned to malvertising to distribute malware disguised as legitimate software downloads. The latest campaign, which has recently come to light, targets a range of utility software, including Slack, Notion, Calendly, Odoo, and Basecamp.
By exploiting the trust of these widely used platforms, the threat actors cast a wide net in their efforts to infect both Mac and Windows systems.
One particularly worrying aspect of this campaign is its focus on the Mac version of Slack. According to researchers, attackers have been posing as legitimate advertisers to launch malicious ads that appear to represent trusted brands. The ads themselves look convincing — featuring official logos, accurate product descriptions, and links that appear to lead to legitimate sites.
However, complex layers of redirection, cloaking, and fingerprinting hide behind these ads, allowing malicious actors to avoid detection and stay online for extended periods.
For Mac users, these deceptive ads redirect victims to malicious websites, tricking them into downloading a harmful payload. In this case, the malware is an infostealer related to the AMOS (Atomic Stealer) family, designed to extract passwords, browser information, and other sensitive data, which is then uploaded to a remote server in Russia.
Windows users are not immune from this malvertising campaign. Instead of being led to Russian servers, Windows users are directed to GitHub-hosted payloads. These payloads are suspected to be a variant of the Rhadamathys infostealer, which has been inflated in size to avoid detection in security sandboxes.
Once installed, it extracts personal data and secrets stored in browsers, apps, and extensions.
Researchers discovered one of the more disturbing elements of the attack: cybercriminals impersonated legitimate businesses to give credibility to their ads. Cybercriminals have sometimes used the identities of well-known companies, such as law firms and women’s health organisations, to mask their true intentions.
When searching for Slack from a U.S.-based IP address, for example, the top Google result appeared as a seemingly legitimate ad for the communication tool. However, clicking on it redirected users to a malware-laden site.
Although Google promptly removed the ads following reports, new malicious ads reappeared under different guises. The attackers have successfully exploited weaknesses in Google’s ad verification processes, allowing them to repeatedly bypass security measures by hiding behind stolen identities.
The threat actors employ sophisticated methods to avoid automated detection. Their tactics include setting up decoy sites that mimic legitimate download pages and initiating a series of redirections through multiple click trackers. These techniques help identify real victims while screening out security bots and researchers.
Attackers’ ultimate goal is to get unsuspecting users to download malware, often disguised as a legitimate software update or installer.
While Google has swiftly removed several malicious ads, the campaign is far from over. New ads continue to emerge, demonstrating the attackers’ resilience. The malware delivery methods remain consistent, with payloads hosted on various platforms such as GitHub for Windows users and PHP-scripted sites for Mac users.
Researchers have urged users and organisations to avoid downloading software via ads. Instead, users should visit the official websites directly to avoid falling victim to these schemes. Additionally, investing in a reputed antivirus can also go a long way in protecting users from these malvertising campaigns.
In June 2024, reports emerged that Poseidon Mac Stealer was distributed via Google Ads. Another intricate malvertising campaign was discovered distributing Oyster backdoors in the same month.
In May, researchers discovered that cybercriminals are distributing D3F@ck Loader via Google Ads.
In the News: Qualcomm patches critical flaws including active exploits
