Cybercriminals have been exploiting Google search ads to deliver malicious payloads through seemingly legitimate ads for the popular communication tool Slack.
This stealthy and sophisticated attack highlights the evolving tactics of threat actors who are increasingly adept at bypassing security measures and evading detection.
The Rise of Malvertising Incidents
Over the past year, nearly 500 unique malvertising incidents related to Google search ads have been reported. These incidents often display similarities, suggesting coordinated campaigns by threat actors.
Some malvertisers go to great lengths to bypass security controls, while others are willing to sacrifice their accounts and infrastructure to achieve their goals. The attack targeting Slack is particularly noteworthy for its stealth and sophistication.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial
Contextual Clues and Suspicious Ads
For several days, a suspicious ad for Slack appeared at the top of Google search results. At first glance, the ad seemed legitimate, redirecting users to Slack’s official website.
However, a closer inspection revealed that the advertiser was promoting products seemingly targeted at the Asian market, with the Slack ad appearing incongruously among them.
This anomaly raised suspicions and highlighted the importance of contextualized detection in identifying compromised advertiser accounts.
The Slow Cooking Strategy
Initially, clicking on the Slack ad redirected users to a pricing page on Slack’s official site. This tactic, known as “slow cooking,” is common among threat actors. They avoid immediate detection by allowing the ad to remain undetected for a period.
Eventually, the ad’s behavior changed, redirecting users to a click tracker—a vulnerability in the Google ad ecosystem that can be exploited to filter clicks and redirect traffic to malicious domains.
The ad’s final URL became slack-windows-download[.]com, a domain created less than a week prior. Although the page initially appeared benign, further investigation revealed a malicious page impersonating Slack and offering a download link to unsuspecting victims.
This tactic, known as cloaking, involves showing different content to different users, making it challenging to detect malicious activity without specialized tools and knowledge of threat actors’ tactics, techniques, and procedures (TTPs).
The Malware Payload
The malicious page’s download button triggered a file download from another domain, suggesting a parallel campaign targeting Zoom.
Dynamic analysis in a sandbox environment uncovered a remote connection to a server previously associated with SecTopRAT, a remote access Trojan with stealer capabilities. This payload has been used in other malvertising chains, including those impersonating NordVPN.
In response to this threat, cybersecurity firm Malwarebytes has enhanced its detection coverage and reported the malicious ad to Google. Cloudflare has also flagged the decoy domains as phishing sites.
Despite these efforts, malvertisers exploit free and paid platforms to evade detection, demonstrating patience and strategic planning in their campaigns.
As cyber threats become more sophisticated, individuals and organizations must remain vigilant and informed. Users should be cautious when clicking on ads and verify the legitimacy of websites before downloading any files.
By staying informed and adopting proactive security measures, we can better protect ourselves against the ever-evolving landscape of cyber threats.
Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial