Bleeping Computer reported that a massive domain typo-squatting campaign was impersonating software companies. The threat actors behind the campaign used the domain names to set up web pages that looked like the product download pages of legitimate software companies but delivered malware instead. Over 200 domains were created to deliver several malware families to a vast number of victims across diverse industries and geographic regions with no specific targeting patterns apparent. Previously, no one was able to identify how the victims were finding the domains, but that has finally been answered.
Researchers have now discovered a massive amount of fraudulent Google ads that were being created to impersonate companies including Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave. The legitimate software download web pages are cloned and posted on typo-squatted domains, then the threat actors buy ad space on Google, to force the fake domain to appear first when one of the companies is searched for. This technique relies on the victim not noticing that these are “ads”, which are clearly marked next to the search result, or believing the ads are from a real company. Some of the malware delivered to victim systems this way include variants of Raccoon Stealer, a custom version of the Vidar Stealer, and the IcedID malware loader. Google has processes in place to prevent malware from being shared via ads, so to bypass this, threat actors are redirecting the victim twice, the first time through the Google ad to a non-malicious website, which has a second redirect that sends the victim to the website hosting the malware.