A malvertising campaign has been discovered that uses Google Ads to target users searching for popular software. The campaign directs users to fake landing pages and distributes payloads. The attack specifically targets users searching for Notepad++ and PDF converters. When a user clicks on a bogus ad, the campaign filters out bots and unintended IP addresses by showing a decoy site. If the user is deemed of interest, they are redirected to a replica website while their system is silently fingerprinted to determine if the request is coming from a virtual machine. The final-stage malware establishes a connection to a remote domain and serves follow-on malware. This campaign highlights the ability of threat actors to bypass ad verification checks and target specific victims.
Additionally, a similar campaign has been observed targeting users searching for the KeePass password manager. This campaign uses malicious ads that direct victims to a domain using Punycode, a special encoding that converts Unicode characters to ASCII. Users who land on the decoy site are tricked into downloading a malicious installer that leads to the execution of FakeBat. The combination of Punycode and rogue Google Ads demonstrates the increasing sophistication of malvertising via search engines.
In another development, multiple threat actors have been observed using themes related to fake browser updates to propagate Cobalt Strike, loaders, stealers, and remote access trojans. These attacks rely on visual trickery and exploit end user trust with compromised websites. The threats can be initiated through legitimate sources such as emails, social media sites, search engine queries, or compromised websites.
Overall, these campaigns and techniques demonstrate the evolving and constant threat of malvertising and fake browser updates. Threat actors are finding ways to bypass security measures and target specific victims, highlighting the need for continued vigilance and updated security measures.
Source link