Threat researchers have discovered dozens of Google PPC ads that link to malicious websites laced with Redline, Taurus, Tesla, and Amadey malware (info stealers).
What is Happening?
Threat assessment company Morphisec disclosed in a report on Wednesday that they have been tracking for some time Google PPC ads that lure users into downloading malicious versions of Dropbox, AnyDesk, and Telegram. These packages are wrapped as ISO images.
The Google PPC ads show up in search results and target many U.S. IP ranges. Malware attacks have already been on a tremendous increase, and scammers are getting more and more creative with it.
How Does it Work?
Bad actors have paid for dozens of Google PPC ads to show up on the first page of search results. These ads lead the user to an ISO image download. The image is larger than 100MB allowing it to evade detection by some threat scanning programs.
Downloading the image installs one of four info stealers: Redline, Taurus, Tesla, and Amadeus.
Threat researchers have identified at least three perpetrators running these scams. Two are using Taurus and a mini version of Redline, and the other is using Redline. All three use similar patterns, certificates, and command-and-control centers (C2s).
Morphisec describes how the malware works:
“.Net executables are obfuscated with known obfuscators such as DeepSea, which leads to a custom obfuscated .Net DLL loader that eventually leads to a custom obfuscated Redline stealer .Net executable.
Adversary Two delivers Taurus and a mini-Redline info stealer.
Taurus AutoIt - 7fx executables that recreate and execute a legitimate AutoIt compiler with a malicious AutoIt script and a malicious encrypted Taurus executable that will be hollowed into the AutoIt process.
Mini-Redline - A minimized .Net version of the Redline stealer with some common functionality for stealing data from browsers. It features different configuration and communication patterns wrapped in four layers of obfuscation.”
According to Threatpost, “Morphisec researchers found that a simple search for “anydesk download” led them to three pay-per-click Google ads, all of which led to malicious info stealers, as shown in the image below. The first two ads lead to a Redline stealer, while the third leads to the Taurus info stealer.”
Morphisec explains that “TheRedline info stealer websites are signed by a Sectigo certificate. Double Clicking the download button on any of the websites will lead to a script execution that verifies the IP and delivers the artifacts from one remote website “hxxps://desklop.pc-whatisapp[.]com”.”
What is Google Doing About It?
Google has sophisticated detection protocols built in to find and remove these types of situations. However, even with their strict rules and running these ads through the detection process, the issues persist. Violators are suspended for three months following an incident.
Threatpost questioned Google about how this could be happening but Google has yet to respond.
Morphisec said that the Redline malware “will confuse even the biggest security vendors.”
The Bottom Line
Threat experts have determined that all of these threats come from Russian adversaries, and they don’t mind paying for ads to trap their victims. The Morphisec research shows that the culprits have paid top dollar for ads that show up on the first page of search results.
Morphisec warns companies that “organizations need to be constantly vigilant in all aspects of their operations. There’s no telling when an adversary will set up a website with a signed, legitimate certificate designed to mislead website visitors.”
“Threat actors are even clearly willing to pay substantial sums of money to target possible victims,” he continued. He pointed to Google Adwords data between May 2020 and April 2021, showing a bid price of between $0.42 and $3.97 for the two keywords “anydesk” and “anydesk download.”
“Assuming a click-through rate of 1,000 people, this could result in fees anywhere from $420 to $3,970 for even a small campaign that targets the U.S., for example,” Morphisec commented.