If you search for PDF converters or Notepad++ on Google, then be on your guard. According to the cybersecurity company Malwarebytes, a malvertising campaign has emerged that takes advantage of Google Ads to direct users searching for these popular software to dangerous landing pages and distribute next-stage payloads. The report claims that the malvertising campaign is “unique in its way to fingerprint users and distribute time-sensitive payloads”. Another thing that sets apart this campaign from others is the way the payload is being downloaded.
How hackers work
The hacking campaign targets users looking for free versions of Notepad++ and PDF converters with fake ads on Google search. These ads take users to a decoy website after filtering out bots and unwanted IP addresses. “A first level of filtering happens when the user clicks on one of these ads. This is likely an IP check that discards VPNs and other non genuine IP addresses and instead shows a decoy site,” said the report.
The victim is redirected to a fake website advertising the software, while silently fingerprinting the system to determine if the request is originating from a virtual machine. Potential targets are assigned a unique ID for tracking and to make each download unique and time-sensitive, according to the report.
The final-stage malware establishes a connection to a remote domain (“mybigeye[.]icu”) on a custom port and serves follow-on malware through an HTA payload.
“Threat actors are successfully applying evasion techniques that bypass ad verification checks and allow them to target certain types of victims,” said Jerome Segura, director of threat intelligence, Malwarebytes.
“With a reliable malware delivery chain in hand, malicious actors can focus on improving their decoy pages and craft custom malware payloads,” he added.
Users who land on the decoy site are tricked into downloading a malicious installer, which then executes FakeBat (a.k.a EugenLoader), a loader designed to download additional malicious code, the report noted.
How hackers work
The hacking campaign targets users looking for free versions of Notepad++ and PDF converters with fake ads on Google search. These ads take users to a decoy website after filtering out bots and unwanted IP addresses. “A first level of filtering happens when the user clicks on one of these ads. This is likely an IP check that discards VPNs and other non genuine IP addresses and instead shows a decoy site,” said the report.
The victim is redirected to a fake website advertising the software, while silently fingerprinting the system to determine if the request is originating from a virtual machine. Potential targets are assigned a unique ID for tracking and to make each download unique and time-sensitive, according to the report.
The final-stage malware establishes a connection to a remote domain (“mybigeye[.]icu”) on a custom port and serves follow-on malware through an HTA payload.
“Threat actors are successfully applying evasion techniques that bypass ad verification checks and allow them to target certain types of victims,” said Jerome Segura, director of threat intelligence, Malwarebytes.
“With a reliable malware delivery chain in hand, malicious actors can focus on improving their decoy pages and craft custom malware payloads,” he added.
Users who land on the decoy site are tricked into downloading a malicious installer, which then executes FakeBat (a.k.a EugenLoader), a loader designed to download additional malicious code, the report noted.
Denial of responsibility! Swift Telecast is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – swifttelecast.com. The content will be deleted within 24 hours.