Fake Google Ads Use Software as a Gateway for Ransomware

Fake Google Ads Use Software as a Gateway for Ransomware

Applications like WinRAR, 7-Zip, LibreOffice, VLC, Rufus, FileZilla and many others are being used as bait in a mass contamination campaign with malware. Fraudulent ads that simulate the appearance of official websites for open source solutions are served by criminals on Google as a way to create gateways that are later sold to criminals working with ransomware attacks.

  • OBS, VLC, WinRAR and other apps become bait in fraudulent ads on Google
  • How to know if a website is safe

The idea is to deceive users with the emphasis given to commercials, which appear above legitimate results during Google searches. It is also an already known contamination vector, but which gained more serious contours when it was linked by experts to persistent threat gangs, which sell access to devices and networks for digital kidnapping scams.

According to the MalwareHunterTeam threat intelligence team, one of these gangs is DEV-0569, which has been mentioned in alerts since November last year. The group uses websites with fake domains, but similar to the real ones, as well as pages copied from the developers to deliver malware such as RedLine Stealer, Gozi, Vidar, Cobalt Strike and others.

In addition to establishing gateways into infected systems, pests can also be used to steal personal and financial data or access credentials to services. Once the presence of a corporate and government network is detected among the targets, the opening can also be sold to gangs interested in practicing the kidnapping of information — cases have already been registered with the use of Royal ransomware against international companies.

Experts point out with curiosity the fact that BatLoader, a pest capable of downloading other viruses and developed by DEV-0569, is not among the contaminations. It would be a way of hiding one’s identity, say the researchers, but also a demonstration of evolving offensive campaigns, even if they use infrastructure, domains and servers similar to those located in campaigns dating back to September 2022.

While firming up an exact number of victims seems difficult, once the bandits take measures to hide their tracks, researchers point to a rate of more than 60,000 contaminated devices per day as part of the campaign. In addition to personal information and opening access to ransomware, cryptocurrency wallets would also be part of the bandits’ focus.

Open source software and corporate systems in the crosshairs

A second campaign, also discovered by MalwareHunterTeam members, appears to be more focused on productivity applications, with remote access software, application suites and even tax documents. The sponsored ads at the time would be authored by a gang called TA505, behind the well-known CLOP ransomware.

In surveys of all attack campaigns found, the following software is being used as bait for contamination:

  • Rufus;
  • LightShot;
  • 7-Zip;
  • WinRAR;
  • FileZilla;
  • LibreOffice;
  • AnyDesk;
  • VLC;
  • Awesome Miner;
  • TradingView;
  • Archiver;
  • TeamViewer;
  • Microsoft Teams;

  • Adobe apps;
  • Slack.

In commentary on a similar campaign released last week, Google said it has robust policies to prevent fraudulent ads from impersonating real platforms or services. The company said that the identified fraudulent advertisements, on behalf of the cited software, have already been removed from the air.

The recommendation is caution when downloading applications, avoiding advertisements and ensuring that the site accessed belongs to the official developer. App stores and recognized marketplaces are good ways to ensure the installation of legitimate software, while paying attention to domains and downloaded files helps to avoid attacks of this type.

Source: Bleeping Computer