Reporters at Bleeping Computer have compiled research from several different sources over the past few months that indicate multiple threat campaigns are using advertisements in Google search results to deploy information-stealing malware. Some of the malware variants found by these researchers include RedLine Stealer, IcedID, and Rhadamanthys Stealer. The threat actors are creating fake websites that masquerade as a legitimate tool download. Their malicious payload is then uploaded to this fake website. Once a victim falls for the impersonation, the malicious payload is downloaded to their computer. The threat actors are using Google search advertisements to boost their own website to appear in search results. Oftentimes, there is more than one malicious site appearing before the legitimate site.
Across the different compiled sources, the threat actors were seen attempting to impersonate a wide variety of tools such as Rufus, Notepad++, VLC Media Player, and CCleaner, among many others. Most recently, a prominent cryptocurrency influencer known as “NFT God” fell victim to a fake Google advertisement impersonating Open Broadcast Software (OBS). While “nothing happened” when they clicked the executable, all their cryptocurrency wallets, as well as credentials for Substack, Gmail, and Discord, were stolen in the background. Google has since removed the malicious advertisements after they were reported.