2 April 2024

Hackers abuse Google Ads tracking feature to deliver malware


Hackers abuse Google Ads tracking feature to deliver malware

Threat actors are exploiting a tracking feature in Google Ads to deliver malicious software, researchers at AhnLab Security Intelligence Center (ASEC) have warned.

The observed cases revealed that the malware is being disseminated under the guise of installers for popular groupware applications such as Notion and Slack.

Once installed and executed, the malware proceeds to download malicious files and payloads from the attacker’s server, potentially compromising the security of the affected systems.

This particular strain of malware is distributed in the form of installer packages, commonly utilizing tools like the Inno Setup installer or the Nullsoft Scriptable Install System (NSIS) installer. By leveraging Google Ads tracking, the attackers are able to deceive users into believing they are accessing legitimate websites, the company said.

Google Ads tracking allows advertisers to insert external analytic website addresses, enabling them to collect and utilize visitors’ access-related data to gauge ad traffic.

In the observed instance, the attackers employed a hidden tracking URL embedded within the ad. Clicking on the visible banner redirects users to the concealed tracking template URL rather than the displayed final URL. The landing page closely resembles the legitimate website of a groupware tool, prompting visitors to download and execute the malware.

Once executed, the malware uses intermediary websites capable of storing text, such as textbin or tinyurl, to access malicious payload addresses. Subsequently, the Rhadamanthys info-stealing malware is downloaded and injected into legitimate Windows files within the %system32% path. Given that the malware operates through a legitimate file, it can surreptitiously extract users’ private data without their knowledge.

“This Rhadamanthys malware distribution case has confirmed that attackers can use Google Ads to deceive users. In fact, all search engines that provide tracking to calculate ad traffic can be used to distribute malware. Users must pay attention to the URL that is seen upon accessing the website, not the URL that is shown on the ad’s banner,” the researchers noted.

Back to the list

Latest Posts

Cyber Security Week in Review: May 24, 2024

Cyber Security Week in Review: May 24, 2024

In brief: Google fixes Chrome zero-day, a backdoor found in JAVS software, and more.
24 May 2024
Chinese APTs increasingly using ORB networks to mask attack infrastructure

Chinese APTs increasingly using ORB networks to mask attack infrastructure

Mandiant reports that it is actively monitoring several ORB networks, with the most notable being SPACEHOP and FLORAHOX.
23 May 2024
Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Ghostengine deploys several modules to tamper with security tools, establish a backdoor, and ensure software updates are in place.
22 May 2024