Watch out for tech support scams lurking in sponsored search results
Our researchers found fake sponsored search results that lead consumers to a typical fake Microsoft alert site set up by tech support scammers.
New Backdoor, MadMxShell
Beginning in March of 2024, Zscaler ThreatLabz observed a threat actor weaponizing a cluster of domains masquerading as legitimate IP scanner software sites to distribute a previously unseen backdoor. The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged GoogleAds to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites. The newly discovered backdoor uses several techniques such as multiple stages of DLL sideloading, abusing the DNS protocol for communicating with the command-and-control (C2) server, and evading memory forensics security solutions. We named this backdoor “MadMxShell” for its use of DNS MX queries for C2 communication and its very short interval between C2 requests.
The forgotten malvertising campaign
In recent weeks, we have noted an increase in malvertising campaigns via Google searches. Several of the threat actors we are tracking have improved their techniques to evade detection throughout the delivery chain. We believe this evolution will have a real world impact among corporate users getting compromised via malicious ads eventually leading to the deployment of malware and ransomware. In this blog post, we look at a malvertising campaign that seems to have flown under the radar entirely for at least several months. It is unique in its way to fingerprint users and distribute time sensitive payloads.
Sneaky Amazon Google ad leads to Microsoft support scam
A legitimate-looking ad for Amazon in Google search results redirects visitors to a Microsoft Defender tech support scam that locks up their browser.
Malvertising Used as Entry Vector for BlackCat Actors Also Leverage SpyBoy Terminator
We found that malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer. We were able to identify that this activity led to a BlackCat (aka ALPHV) infection, and actors also used SpyBoy, a terminator that tampers with protection provided by agents.
Malvertising via brand impersonation is back again
Web search is about to embark on a new journey thanks to artificial intelligence technology that online giants such as Microsoft and Google are experimenting with. Yet, there is a problem when it comes to malicious ads displayed by search engines that AI likely won't be able to fix.
BatLoader Continues to Abuse Google Search Ads to Deliver…
Learn more about the BatLoader malware, how we detected the attack, and recommendations from our Threat Response Unit (TRU) to protect your business from…
Bitwarden password vaults targeted in Google ads phishing attack
Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users' password vault credentials.
Malware-Traffic-Analysis.net - 2023-02-03 - DEV-0569 activity: Google ad -- FakeBat Loader -- Redline Stealer & Gozi/ISFB/Ursnif
NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. IOCs are listed on this page below all of the images.
.NET Virtualization Thrives in Malvertising Attacks
.NET malware loaders distributed through malvertising are using obfuscated virtualization for anti-analysis and evasion in an ongoing campaign.
Google sponsored ads malvertising targets password manager
We have recently written about malvertising campaigns that leverage Google paid advertisements to try and trick people into downloading malware instead of the software they were looking for. This malware then stole login credentials from the affected system.
Breaking Down the SEO Poisoning Attack | How Attackers Are Hijacking Search Results
SEO poisoning is gaining momentum as threat actors leverage malicious ads to deliver malware through web browser searches.
Hackers push malware via Google search ads for VLC, 7-Zip, CCleaner
Hackers are setting up fake websites for popular free and open-source software to promote malicious downloads through advertisements in Google search results.
InfoSec Handlers Diary Blog - SANS Internet Storm Center
Malicious Google Ad --> Fake Notepad++ Page --> Aurora Stealer malware
Google Ads Exploited to Spread Malware
Google Ads is one of the most popular advertising platform, but it's also a target for cybercriminals. Learn how they are using it to spread malware.
Google Ads Malware Wipes NFT Influencer's Crypto Wallet
NFT influencer @NFT_GOD downloaded malware through Google Ads while attempting to download OBS, an open-source video streaming software.
“MasquerAds” — Google’s Ad-Words Massively Abused by Threat Actors, Targeting Organizations, GPUs and Crypto Wallets
A newly uncovered technique to abuse Google’s ad-words powerful advertisement platform is spreading rogue promoted search results in mass. Pointing to allegedly credible advertisement sites that are fully controlled by threat actors, those are used to masquerade and redirect ad-clickers to malicious phishing pages gaining the powerful credibility and targeting capabilities of Google’s search results. Adding customized malware payloads, threat actors are raising the bar for successful malware deployments on Personal PCs with ad words like Grammarly, Malwarebytes, and Afterburner as well as with Visual Studio, Zoom, Slack, and even Dashlane to target organizations.
Google ads lead to fake software pages pushing IcedID (Bokbot)
Fake sites for popular software have occasionally been used by cyber criminal groups to push malware. Campaigns pushing IcedID malware (also known as Bokbot) also use this method as a distribution technique (we also commonly see IcedID sent through email).
BatLoader Continues to Abuse Google Search Ads to Deliver…
Learn more about the BatLoader malware, how we detected the attack, and recommendations from our Threat Response Unit (TRU) to protect your business from…
Bitwarden password vaults targeted in Google ads phishing attack
Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users' password vault credentials.
Malware-Traffic-Analysis.net - 2023-02-03 - DEV-0569 activity: Google ad -- FakeBat Loader -- Redline Stealer & Gozi/ISFB/Ursnif
NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. IOCs are listed on this page below all of the images.
.NET Virtualization Thrives in Malvertising Attacks
.NET malware loaders distributed through malvertising are using obfuscated virtualization for anti-analysis and evasion in an ongoing campaign.
Google sponsored ads malvertising targets password manager
We have recently written about malvertising campaigns that leverage Google paid advertisements to try and trick people into downloading malware instead of the software they were looking for. This malware then stole login credentials from the affected system.
Breaking Down the SEO Poisoning Attack | How Attackers Are Hijacking Search Results
SEO poisoning is gaining momentum as threat actors leverage malicious ads to deliver malware through web browser searches.
Hackers push malware via Google search ads for VLC, 7-Zip, CCleaner
Hackers are setting up fake websites for popular free and open-source software to promote malicious downloads through advertisements in Google search results.
InfoSec Handlers Diary Blog - SANS Internet Storm Center
Malicious Google Ad -- Fake Notepad++ Page -- Aurora Stealer malware
Google Ads Exploited to Spread Malware
Google Ads is one of the most popular advertising platform, but it's also a target for cybercriminals. Learn how they are using it to spread malware.
Google Ads Malware Wipes NFT Influencer's Crypto Wallet
NFT influencer @NFT_GOD downloaded malware through Google Ads while attempting to download OBS, an open-source video streaming software.
“MasquerAds” — Google’s Ad-Words Massively Abused by Threat Actors, Targeting Organizations, GPUs and Crypto Wallets
A newly uncovered technique to abuse Google’s ad-words powerful advertisement platform is spreading rogue promoted search results in mass. Pointing to allegedly credible advertisement sites that are fully controlled by threat actors, those are used to masquerade and redirect ad-clickers to malicious phishing pages gaining the powerful credibility and targeting capabilities of Google’s search results. Adding customized malware payloads, threat actors are raising the bar for successful malware deployments on Personal PCs with ad words like Grammarly, Malwarebytes, and Afterburner as well as with Visual Studio, Zoom, Slack, and even Dashlane to target organizations.
Google ads lead to fake software pages pushing IcedID (Bokbot)
Fake sites for popular software have occasionally been used by cyber criminal groups to push malware. Campaigns pushing IcedID malware (also known as Bokbot) also use this method as a distribution technique (we also commonly see IcedID sent through email).