Scammers have been using Google Adwords to transfer and spread malware to knowledgeable users searching for mainstream software services or products. These popular software products include:
- uTorrent
- OBS
- AnyDesk
- Libre Office
- Grammarly
- MSI
- Teamviewer
- Brave
These malware operators make clones of the official websites of these products and allow users to download trojanized versions. BleepingComputer has revealed an enormous typo-squatting campaign that utilized over 200 domains acting as impersonators of software products.
For example, the fake MSI Afterburner portals were used to infect the RedLine stealer into the user’s device. Previously, it was unknown how users became exposed to these websites. According to Trend Micro and Guardio Labs, Google Ad campaigns were used to spread these malicious websites to a larger audience.
Abusing Google Adwords
Google Ads is a perfect tool to promote businesses on Google SERPs, placing them as advertisements above the official site of the product/service. Without an active ad blocker, users will find these promotions first, looking to download legit software.
Users can click on this advertisement. If Google finds the site malicious, it’ll block the campaign and remove ads. So, malware operators require a bypass to these automated checks. These malware actors created irrelevant sites to trap users after they clicked the ads and redirect them to the impersonated software product.
These files are in MSI or ZIP form and downloadable from famous code-hosting and file-sharing sites like GitHub, Discord’s CDN, etc. As a result, the antivirus on the user’s device doesn’t work on these downloads.
Guardio Labs further said they observed a November campaign where malware operators trapped users with trojanized versions of Grammarly to release Raccoon Stealer. The files contained the required software but with additional malware that installed itself in the system in the background.
Trend Micro revealed in its IcedID campaign report that threat actors abused Keitaro Traffic Direction System to identify the visitor as a valid victim or a researcher before redirecting them to the fake site. This abuse has been happening since 2019.
By activating an ad-blocker, you can filter promoted results from Google, ensuring you stay safe from such attacks.