Malvertising is on the rise, reaching new heights of danger as it infiltrates Google Ads, in Google search where millions of users browse the web. The alarming twist? It all came to light through a seemingly malicious advertising of the code editing tool Notepad++, while using sophisticated techniques to invade detection.
A researcher at Malwarebytes by the name Jerome Segura stated that:
“In recent weeks we have noted an increase in Malvertising campaigns via Google searches. Several of the threat actors we are tracking have improved their techniques to evade detection throughout the delivery chain.”
The malware ads which has been spotted to be ongoing for months, indicates how threat actors have seemingly been abusing Google Ads towards their own personal gain, by promoting malicious websites that host and distributes malwares.
Further research indicates that the objective of the threat actor is to deliver a final payload (unknown) to its victims. However, researchers at Malwarebytes have a contrary opinion; saying there is a likely chance that the payload is “cobalt strike”.
MALVERTISING AND EXPLOITATION OF GOOGLE ADS:
Google Ads which is solely for business purpose, allows business owners to bring awareness to their business through ads. Threat actors are seemingly using this to advertise the Notepad++ malware through URL’s that are not related to the software, and displaying false title, with the intent to deceive.
In this scenario, the SEO (Search Engine Optimization) tactics in question are manipulated, taking advantage of the fact that titles are significantly larger than URLs. This strategic move lures search engine users into the trap.
As soon as visitors click on any of the ads, a redirection that checks certain information such as IP addresses, executes. This is to enable the filtering of crawlers, VPNs, bots and redirects them to a decoy site that has no malicious file in it.
However if the checks are passed, and information indicates a legitimate user trying to access the ads, the user is then redirected to “notepadxtreme[.]com” (the use of typo squatting can be noted here); A clone of the legitimate website which features links to download various versions, of the software.
If these checks are verified, the user is then served an HTA script, which has a unique ID assigned to it (an indicator, for the attacker to track the infected devices). The payload is noticed to be served once per victim, as revisiting the URL triggers an error 404 page.
Analysis of the HTA (HTml Application), by Malwarebytes showed no useful information as the malware shows no signs of being weaponized at the moment. However, further investigation on virustotal reveals the same file was uploaded on virustotal portal from July.
Also, Reviewing the file, shows that a remote connection to a domain via a custom port was initiated; likely part of a Cobalt Strike deployment.
While there are no indicators showing the active state of the malware, users are advised to be cyber aware, and take precautionary measures when accessing tools/software applications online. A more adequate approach which involves reviewing the handle, and ensuring its legitimacy, should be adopted. Detailed information about the malware and indicator of compromise can be read here.
Please do let us know in the comment section what are your thoughts about this.