Google PPC Ads Used to Deliver Infostealers

Google ads infostealers

The crooks pay top dollar for Google search results for the popular AnyDesk, Dropbox & Telegram apps that lead to a malicious, infostealer-packed website.

Researchers have tracked down the origins of several increasingly prevalent info-stealers – including Redline, Taurus, Tesla and Amadey – that threat actors are delivering via pay-per-click (PPC) ads in Google’s search results.

On Wednesday, breach prevention firm Morphisec posted an advisory in which it said that over the past month, it’s investigated the origins of paid ads that appear on the first page of search results and that lead to downloads of malicious AnyDesk, Dropbox and Telegram packages wrapped as ISO images.

This isn’t the first time we’ve seen a fake version of AnyDesk, the popular remote desktop application, pushed via ads appearing in Google search results. Just a week ago, we saw rigged AnyDesk ads serving up a trojanized version of the program. That earlier campaign even bested AnyDesk’s own ad campaign on Google, ranking higher in its paid results.

This time around, the Google PPC ads targeted specific IP ranges in the U.S. and “probably some other countries,” researchers wrote. Non-targeted IPs are redirected to legitimate pages that download the correct applications.

How These Attack Chains Work
The researchers investigated three attack chains that lead to Redline, Taurus and a new mini-Redline infostealer compromise. Two of the adversaries – the ones leveraging Taurus and mini-Redlineare – are using similar patterns, certificates, and command-and-control centers (C2s). The third uses Redline, while Morphisec plans to write up the Amadey campaign in a separate post.

Why Doesn’t Google Scanning Catch These?
Google says that it uses proprietary technology and malware detection tools to “regularly scan all creatives”, that it forbids ads when they try to call fourth parties or sub-syndication to uncertified advertisers, that it pulls ads distributing malware, and that authorized buyers whose ads are found to contain malware are placed on a minimum three-month suspension.

So how do these bad ads, funded through crooks spending real money on paid advertising, keep popping up at the top of search results? Threatpost reached out to Google to ask. In the meantime, Morphisec’s investigation revealed that the unpacked Redline malware “will confuse even the biggest security vendors,” using obfuscation techniques described below. In a nutshell, these attacks have succeeded because crooks spend real money on Google AdWords, having figured out how to evade Google’s malvertising screening and having set up a website with a signed, legitimate certificate – as in, a maximum of two weeks old – designed to mislead website visitors.

Obfuscation Galore
As researchers described it, all of the attacks start with one of a dozen paid Google ads that lead to a website with an ISO image download – one that’s big enough to slip past scanning. “The ISO image size is larger than 100MB, which allows the image to evade some scanning solutions that are optimized on throughput and size,” they explained. “Mounting the ISO image leads to executables that are usually, but not always, digitally signed and legitimately verified.”

Adversary One dumps the Redline infostealer. It obfuscates .Net executables with known obfuscators, including DeepSea. That leads to a custom obfuscated .Net DLL loader that eventually leads to a custom obfuscated Redline stealer .Net executable, they continued.

For its part, Adversary Two delivers Taurus and a mini-Redline infostealer that has some common functionality for stealing browser data and that wraps four layers of obfuscation around its configuration and communication patterns. As for the Taurus AutoIt infostealer, its executables recreate and execute a legitimate AutoIt compiler with a malicious AutoIt script and a malicious encrypted Taurus executable that will be hollowed into the AutoIt process, the researchers wrote.

Read more here: