How ransomware access brokers use Google Ads to breach your network
It is no longer news that clicking on ads redirects visitors to websites that appear as download portals or clones of legitimate software websites. However, when you click on the download links, you usually download an MSI file that installs different types of malware depending on the campaign. These ads appear to be websites for popular software such as LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk, Awesome Miner, TradingView, WinRAR and VLC.
Over the past few weeks, Google's search results have become a source for malicious ads running malware. The list of malware installed in these campaigns so far includes RedLine Stealer, Vidar and possibly Cobalt Strike and ransomware.
While many threat actors appear to be abusing the Google Ads platform to distribute malware, two campaigns stand out because their infrastructure has previously been involved in ransomware attacks.
In February 2022, Mandiant discovered a malware distribution campaign that used SEO poison information to rank websites masquerading as popular programs in search results.
If a user were to install the software offered by these pages, they would launch a new malware downloader called BatLoader, which would initiate a multi-step infection process that would ultimately give threat actors initial access to victims' networks.
Although the malicious installers in this campaign no longer use BatLoader like Microsoft's previous campaigns, they install a data stealer (RedLine Stealer) and then a malware loader.
The current campaign uses RedLine to steal information such as passwords, cookies and crypto wallets, while Gozi/Ursnif is used to download other malware.
Another campaign linked to CLOP Ransomware
There was a discovery of a different but similar Google ad campaign used infrastructure previously monitored by a known threat group such as TA505 to distribute the CLOP ransomware.
In this advertising campaign by Google, actors involved in the threat spread malware to websites by masquerading as popular software such as AnyDesk, Slack, Microsoft Teams, TeamViewer, LibreOffice, Adobe, and strangely, through W-9 IRS forms websites.
Once installed, this malware campaign executes a PowerShell script that downloads and executes a DLL from download-cdn[.]com previously used by TA505.
Regardless of who owns these domains, the sheer volume of malicious Google ads appearing in search results is becoming a major problem for consumers and businesses alike.
When these campaigns are used to gain initial access to corporate networks, they can cause various attacks such as data theft, ransomware and even destructive attacks that disrupt business operations.
Google explained they have strict policies that prohibit and strictly monitor ads that try to evade our controls by masking the identity of the advertiser and impersonating other brands. They have reviewed these ads and removed them.
Good news, Google removed ads when they are reported and identified. The bad news is that threat actors are constantly launching new advertising campaigns and new websites, making it a giant game of mole and Google cannot win.