Google PPC Ads Used in Credential Stealing Attacks

Posted on by Dawna M. Roberts in News June 22, 2021

Threat researchers have discovered dozens of Google PPC ads that link to malicious websites laced with Redline, Taurus, Tesla, and Amadey malware (info stealers). 
Google PPC Ads Links to Malicious Websites

What is Happening?

Threat assessment company Morphisec disclosed in a report on Wednesday that they have been tracking for some time Google PPC ads that lure users into downloading malicious versions of Dropbox, AnyDesk, and Telegram. These packages are wrapped as ISO images. 

The Google PPC ads show up in search results and target many U.S. IP ranges. Malware attacks have already been on a tremendous increase, and scammers are getting more and more creative with it.

How Does it Work?

Bad actors have paid for dozens of Google PPC ads to show up on the first page of search results. These ads lead the user to an ISO image download. The image is larger than 100MB allowing it to evade detection by some threat scanning programs. 

Downloading the image installs one of four info stealers: Redline, Taurus, Tesla, and Amadeus. 

Threat researchers have identified at least three perpetrators running these scams. Two are using Taurus and a mini version of Redline, and the other is using Redline. All three use similar patterns, certificates, and command-and-control centers (C2s).

Morphisec describes how the malware works: 

  • “.Net executables are obfuscated with known obfuscators such as DeepSea, which leads to a custom obfuscated .Net DLL loader that eventually leads to a custom obfuscated Redline stealer .Net executable.

Adversary Two delivers Taurus and a mini-Redline info stealer.

  • Taurus AutoIt - 7fx executables that recreate and execute a legitimate AutoIt compiler with a malicious AutoIt script and a malicious encrypted Taurus executable that will be hollowed into the AutoIt process. 

  • Mini-Redline - A minimized .Net version of the Redline stealer with some common functionality for stealing data from browsers. It features different configuration and communication patterns wrapped in four layers of obfuscation.”

According to Threatpost, “Morphisec researchers found that a simple search for “anydesk download” led them to three pay-per-click Google ads, all of which led to malicious info stealers, as shown in the image below. The first two ads lead to a Redline stealer, while the third leads to the Taurus info stealer.”

Morphisec explains that “TheRedline info stealer websites are signed by a Sectigo certificate. Double Clicking the download button on any of the websites will lead to a script execution that verifies the IP and delivers the artifacts from one remote website “hxxps://desklop.pc-whatisapp[.]com”.”

What is Google Doing About It?

Google has sophisticated detection protocols built in to find and remove these types of situations. However, even with their strict rules and running these ads through the detection process, the issues persist. Violators are suspended for three months following an incident. 

Threatpost questioned Google about how this could be happening but Google has yet to respond.

Morphisec said that the Redline malware “will confuse even the biggest security vendors.” 

The Bottom Line

Threat experts have determined that all of these threats come from Russian adversaries, and they don’t mind paying for ads to trap their victims. The Morphisec research shows that the culprits have paid top dollar for ads that show up on the first page of search results. 

Morphisec warns companies that “organizations need to be constantly vigilant in all aspects of their operations. There’s no telling when an adversary will set up a website with a signed, legitimate certificate designed to mislead website visitors.”

Threatpost added,

“Threat actors are even clearly willing to pay substantial sums of money to target possible victims,” he continued. He pointed to Google Adwords data between May 2020 and April 2021, showing a bid price of between $0.42 and $3.97 for the two keywords “anydesk” and “anydesk download.”
“Assuming a click-through rate of 1,000 people, this could result in fees anywhere from $420 to $3,970 for even a small campaign that targets the U.S., for example,” Morphisec commented.
About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagram’s c... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “Alien” is ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the country, ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% of the... Read More

Scan Your Records for Breaches, Leaks & Exposures!