Hackers Exploit Google Ads Tracking Feature To Deliver Malware


Google Ads is a big platform with a wide user base, which makes it attractive to threat actors who want to reach many targets at once.

These malicious ads can also be created or legitimate ones hijacked to spread malware, phishing scams, and other malicious content around. 

The complex ad targeting options on Google Ads enable hacking groups to specifically target some demographics, locations, or interests which increases the chances of success. 

Google Ads’ pay-per-click model could be deployed for fraudulent actions like click fraud or draining advertising budgets. Given the Google Ads industry’s complexity and widespread reach, detecting and preventing such threats is difficult.

AhnLab Security Intelligence Center (ASEC) has recently discovered that hackers are actively exploiting the Google Ads Tracking feature to deliver malware.

Hackers Exploit Google Ads Tracking

AhnLab discovered malware disguised as popular groupware installers like Notion and Slack, distributed via Google Ads tracking. Upon execution, it fetches malicious payloads from attacker servers. 

While the identified malicious file names include:-

  • Notion_software_x64_.exe
  • Slack_software_x64_.exe
  • Trello_software_x64_.exe
  • GoodNotes_software_x64_32.exe
Hackers Exploit Google Ads Tracking Feature To Deliver Malware
URLs (Source – ASEC)

The ad example shows a tracking URL hidden from users. Clicking the visible banner redirects users to the concealed tracking template URL rather than the displayed final URL.

Hackers Exploit Google Ads Tracking Feature To Deliver Malware
Redirection sequence (Source – ASEC)

The hackers abused the Google Ads tracking feature, which is intended for website traffic analysis, to distribute malware from a malicious site instead of legitimate analytics. 

When active, the malicious ad redirected clickers to download harmful files under false pretenses before its removal.

Here below we have mentioned the redirection address:-

1. hxxps://www.googleadservices[.]com/pagead/aclk? sa=L&ai=DChcSEwjvxY_g38yEAxX96RYFHbN_DHwYABAAGgJ0bA&ase=2&gclid=CjwKCAiArfauBhApEiwAeoB7qFTSv58y3y V4nTuE_ptW9t-YIT1- Y_jH70VIcuKX3qsNu9u5d2TplRoCKDwQAvD_BwE&ohost=www.google.com&cid=CAESVeD21RQt4fRwNUkcEV8_EYQ96O MpQS8F7ZevrgG_k_jZewow_akDRbQ3vK-L7r7Z7yVUCyf4YKpyZrJCjoIkJjEcGbU1LviHlcWC8x9hRsFbAGy8Sbc&sig=AOD64_3Ho3r-SX_3edPZOWfLXPSWeCY1SQ&q&nis=6&adurl&ved=2ahUKEwibkYng38yEAxWScPUHHRJlCjAQ0Qx6BAgFEAE

2. hxxps://pantovawy.page[.]link/jdF1/?url=https://www.notion.so/pricing%3Fgad_source%3D1&id=8

3. hxxps://cerisico[.]net/

Here below we have mentioned the final landing page:-

  • hxxps://notione.my-apk[.]com

The final landing page mimicked legitimate groupware sites, tricking visitors into downloading and running the malware.

While post-execution, the malware fetched malicious payload addresses from text-sharing sites like tinyurl.com and textbin.net. 

These shared URLs then provided the actual malware download links hosted on compromised domains like slashidot.org, yogapets.xyz, bookpool.org, and birdarid.org, completing the multi-stage infection process.

The Rhadamanthys infostealer malware fetched from the malicious links gets injected into legitimate Windows %system32% files like dialer.exe, openwith.exe, dllhost.exe, and rundll32.exe.

Running via trusted binaries allows it to stealthily steal private data. 

This case confirms attackers exploit Google Ads and other search engine ad tracking to distribute malware. Users should carefully verify the URL when accessing sites, and not trust the advertised banner URL.

IoCs

MD5s

  • 9437c89a5f9a51a4ff6d6076083fa6c9
  • 12b6229551fbb1dcb2823bc8b611300f
  • 33aa3073d148816e9e8de0af4f84582e
  • f0a3499f83d2d9066ab19d39b9af6696
  • 2498997ab3e66e24bc08d044e0ef4418
  • f2590ece758eb32302c504ac3ff413f4
  • eef03c8cd2f27ead8b2d59d5cda4cf6e
  • 9034cf58867961cde08a20cb1057c490
  • f7200603cb8aa9e2b544255ed848c9c0

URLs

  • hxxp://tinyurl[.]com/4jnvfsns
  • hxxp://tinyurl[.]com/4a3uxm6m
  • hxxps://textbin[.]net/raw/oumciccl6b
  • hxxp://tinyurl[.]com/mrx7263e
  • hxxp://tinyurl[.]com/253x7rnn
  • hxxps://slashidot[.]org/@abcDP.exe
  • hxxps://yogapets[.]xyz/@abcmse1.exe
  • hxxps://bookpool[.]org/@Base.exe
  • hxxp://birdarid[.]org/@abcDS.exe
  • hxxps://alternativebehavioralconcepts[.]org/databack/notwin.php
  • hxxps://pantovawy.page[.]link/jdF1/?url=https://www.notion.so/pricing%3Fgad_source%3D1&id=8
  • hxxps://cerisico[.]net/

File Detection

  • Trojan/Win.Agent.C5595056 (2024.02.29.02)
  • Trojan/Win.Agent.C5592526 (2024.02.23.02)
  • Trojan/Win.Agent.C5594794 (2024.02.28.03)
  • Trojan/Win.Rhadamanthys.R636740 (2024.02.27.00)

Behavior Detection

  • Injection/MDP.Event.M10231

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.





Source link