News, 29.12.2022, 13:00 PM
Users who search on Google for popular software such as AnyDesk, Dashlane, Grammarly, Malwarebytes, Microsoft Visual Studio, MSI Afterburner, Slack and Zoom, among others, are being targeted by a new malicious advertising campaign that abuses Google Ads to deliver trojanized software to users which infects victims’ devices with malware such as Raccoon Stealer and Vidar.
Those responsible for these infections use seemingly legitimate websites with small domain name errors. These fake sites appear at the top of Google search results in the form of ads when certain keywords are searched for.
The ultimate goal of such attacks is to trick users into downloading malware.
In the campaign he discovered Guardio Labs, the attackers have created a network of benign sites that advertise on the browser. When users click on them, they are redirected to a page with a trojanized ZIP file located on Dropbox or OneDrive.
Guardio Labs, which called the campaign MasquerAds, says a group called Vermux is responsible for it, which is “misusing a huge list of brands.”
Operation Vermux is mainly focused on users in Canada and the US, and the sites used for this campaign are optimized for AnyDesk and MSI Afterburner searches. Victims are infected with cryptominers and Vidar malware.
This is not the first time that the Google Ads platform has been used to spread malware. One such campaign was discovered by Microsoft last month and the goal of the attack was to infect devices with BATLOADER, which is then used to infect devices with Royal ransomware.
Cybercriminals used similar tactics to distribute the IcedID malware via copies of the websites of well-known applications such as Adobe, Brave, Discord, LibreOffice, Mozilla Thunderbird and TeamViewer.