Cybercriminals have deployed a new malicious campaign that takes advantage of Google Ads to promote cloned ‘software’ web pages, through which they deploy different types of ‘malware’ such as Raccoon Stealer and Vidar once they have downloaded them to their devices.
In this campaign, which has been maintained active during this month of december,programs such as Grammarly, Microsoft Visual Studio, Thunderbird, OBS, Teamviewer, Slack and Zoom have been implicated, as reported the director of Guardio Labs, Nati Tal, a company that has made a report together with Trend Micro. In this, the ‘modus operandi’ of these cyber-fraudsters is explained.
Specifically, fraudsters have displayed a series of advertisements –for which they have used Google Ads– from allegedly legitimate but counterfeit software download web pages.
In this sense, it should be remembered that Google Ads allows advertisers to promote their web pages in Google Search and places them at the top of the list of results. Hence, once these websites are cloned, users without a blocker will encounter these ads first.
If Google detects that a campaign’s target site is malicious, it blocks the campaign and removes the ads. For this reason, cybercriminals have developed a strategy to evade this security system.
As reported by Guardio Labs and Trend Micro, scammers have used a trick to take victims who click on the ad to a benign site created by them, and then to the malicious cloned website.
Hence, they initially use websites with very similar names as bait. This is the case of the Grammarly grammar and spelling application, from which cloned pages have been found such as ‘grammartly’ o ‘gramnarly’.
Once the user has accessed these pages, cybercriminals attack in different ways. First, cybercriminals offer legitimate ‘software’ with embedded ‘malware’, which runs in the background when a certain program is downloaded.
Another form of attack is through ZIP folders with bloated files so that the total computation is larger than the maximum allowable size of malware scanning systems automated. Likewise, they ensure that less than 1 percent of their code contains fragments of malicious code, so this ‘software’ goes unnoticed. On the other hand, cybercriminals choose to modify payloads periodically.
According to reports from these cybersecurity companies, one of the malicious agents intercepted is Vidar, a Trojan targeting the GPU of infected devices, which has mainly affected users in Canada and the United States. Specifically, it has reached them through searches of the AnyDesk and MSI Afterburner programs.
From Guardio Labs and Trend Micro they recommend users not to abusing the trust given to Google and its search results promoted through Google Ads. They also insist on apply a more incisive level of protection even for the simplest action “such as searching for something on Google”, according to Nati Tal.