Threat actors are exploiting a tracking feature in Google Ads to deliver malicious software, researchers at AhnLab Security Intelligence Center (ASEC) have warned.

The observed cases revealed that the malware is being disseminated under the guise of installers for popular groupware applications such as Notion and Slack.

Once installed and executed, the malware proceeds to download malicious files and payloads from the attacker’s server, potentially compromising the security of the affected systems.

This particular strain of malware is distributed in the form of installer packages, commonly utilizing tools like the Inno Setup installer or the Nullsoft Scriptable Install System (NSIS) installer. By leveraging Google Ads tracking, the attackers are able to deceive users into believing they are accessing legitimate websites, the company said.

Google Ads tracking allows advertisers to insert external analytic website addresses, enabling them to collect and utilize visitors’ access-related data to gauge ad traffic.

In the observed instance, the attackers employed a hidden tracking URL embedded within the ad. Clicking on the visible banner redirects users to the concealed tracking template URL rather than the displayed final URL. The landing page closely resembles the legitimate website of a groupware tool, prompting visitors to download and execute the malware.

Once executed, the malware uses intermediary websites capable of storing text, such as textbin or tinyurl, to access malicious payload addresses. Subsequently, the Rhadamanthys info-stealing malware is downloaded and injected into legitimate Windows files within the %system32% path. Given that the malware operates through a legitimate file, it can surreptitiously extract users’ private data without their knowledge.

“This Rhadamanthys malware distribution case has confirmed that attackers can use Google Ads to deceive users. In fact, all search engines that provide tracking to calculate ad traffic can be used to distribute malware. Users must pay attention to the URL that is seen upon accessing the website, not the URL that is shown on the ad’s banner,” the researchers noted.