The attackers are once again abusing Google Ads to target people with information-stealing malware, this time using an ad tracking feature to lure business users with fake ads for popular collaborative groupware like Slack and Notion.
This was discovered by researchers at the AhnLab Security Intelligence Center (ASEC). a malicious campaign that uses a statistical feature to embed URLs that distribute malware, including the Rhadamanthys rogue, they revealed in a blog post published this week. The feature allows advertisers to insert external analytics website addresses into ads to collect and use visitor access data to calculate ad traffic.
However, instead of entering a URL to an external statistics site, attackers abuse the functionality to access the sites distribution of malicious codethe researchers discovered.
Ads related to the campaign have already been deleted. But when they were still active, “clicking on the banner took unsuspecting users to an address that tricked them into downloading a malicious file,” according to ASEC.
In the campaign, Rhadamanthys is disguised as the installer of the popular groupware often used by enterprise teams for workplace collaboration. Once installed and executed, the malware downloads malicious files and payloads from the attacker’s server.
Redirects to Download Stealers
The ASEC post analyzes how the attackers crafted the campaign to display banner ads that contain tracking URLs invisible to the end user that redirect users to a URL created and controlled by the attacker. This final landing page looks similar to the actual website of a groupware tool like Slack or Notion and prompts visitors to download and run the malware, which is distributed in the form of an installer.
Typical installers used by the campaign are the Inno Setup installer or the Nullsoft Scriptable Install System (NSIS) installer; Specifically, the attackers used the following executable files: Notion_software_x64_.exe Slack_software_x64_.exe; Trello_software_x64_.exe; and GoodNotes_software_x64_32.exe.
“Once executed, the malware uses websites that can save text such as textbin or tinyurl to access the addresses of the malicious payloads,” ASEC said in its blog post, which lists the URLs used by the attackers to retrieve these addresses, which are subsequently delivered to users.
The final payload of the campaign is the Rhadamanthys Thief, which is inserted into legitimate Windows files via the path “%system32%”, according to ASEC. This allows the thief to exfiltrate users’ private data without their knowledge, the researchers noted.
Rhadamanthys is popular among attackers and is available for purchase on the Dark Web under a malware-as-a-service model. It works like a typical thief to collect system information, such as computer name, username, operating system version and other machine details. It also queries directories of installed browsers, including Brave, Edge, Chrome, Firefox, Opera Software, to search and steal browser history, bookmarks, cookies, autofills, login credentials and other data.
Pay attention to the URLs served by ads
The countryside certainly is not the first time that attackers have been abusing Google Ads and its associated features to spread Rhadamanthys and other malware, and it probably won’t be the last. In fact, a campaign identified in January 2023 they also used website redirects from Google Ads and fake download lures for popular remote working software, such as Zoom and AnyDesk, to deliver Rhadamanthys.
Attackers have even abused the service’s “dynamic search ads” feature amplify the effect of malicious campaigns by creating targeted ads to spread a wave of malware.
Indeed, since “all search engines that provide tracking to calculate advertising traffic can be used to distribute malware,” users must remain vigilant when accessing links from Google-provided ads, ASEC warned. Specifically, they should “pay attention to the URL that is displayed when accessing the website, not the URL shown on the ad banner” to avoid falling for a malicious campaign, according to the post.
ASEC also published a comprehensive list of URLs associated with various phases of the campaign to help administrators identify if any business users were affected.