Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


Threat Campaigns Utilizing Google Search Ads to Push Information-Stealing Malware

Reporters at Bleeping Computer have compiled research from several different sources over the past few months that indicate multiple threat campaigns are using advertisements in Google search results to deploy information-stealing malware. Some of the malware variants found by these researchers include RedLine Stealer, IcedID, and Rhadamanthys Stealer. The threat actors are creating fake websites that masquerade as a legitimate tool download. Their malicious payload is then uploaded to this fake website. Once a victim falls for the impersonation, the malicious payload is downloaded to their computer. The threat actors are using Google search advertisements to boost their own website to appear in search results. Oftentimes, there is more than one malicious site appearing before the legitimate site.

Across the different compiled sources, the threat actors were seen attempting to impersonate a wide variety of tools such as Rufus, Notepad++, VLC Media Player, and CCleaner, among many others.  Most recently, a prominent cryptocurrency influencer known as “NFT God” fell victim to a fake Google advertisement impersonating Open Broadcast Software (OBS). While “nothing happened” when they clicked the executable, all their cryptocurrency wallets, as well as credentials for Substack, Gmail, and Discord, were stolen in the background. Google has since removed the malicious advertisements after they were reported.

Analyst Notes

While this combination of phishing/typosquatting isn’t necessarily novel or unique, it could still be detrimental to an organization if an employee was to fall for it. Additionally, the use of Google search advertisements makes it more likely that an employee would fall for a campaign such as this, as the fake site often appears before the legitimate site. As with most types of phishing attacks, the best defense against campaigns utilizing these techniques is user education and prevention. End users should be made aware of this technique pushing malicious tools. Additionally, they should be advised to use ad-blockers on their work computers to help prevent against this. It may be beneficial to also monitor any downloads from sites with suspicious top-level domains such as “.pro”, but this would only catch some of the activity from these campaigns. In the end, it is best to have a defense-in-depth strategy to catch this activity earlier in the attack chain.