Threat researchers have identified a persistent series of malvertising campaigns targeting graphic design professionals, using Google Search ads as a vector.
This campaign, active since at least November 13, 2024, exploits two dedicated IP addresses, 185.11.61[.]243 and 185.147.124[.]110, to host malicious domains.
Starting with the first IP address 185.11.61[.]243, at the time of this writing, 109 unique domains were mapped to it, all seemingly for this graphic design/CAD malvertising campaign.
Silent Push, in collaboration with its research partners, has tracked at least ten distinct campaigns over the past month. These malicious Google Ads campaigns utilize domains that direct unsuspecting users to harmful downloads, posing a significant risk to corporate environments and individual security.
2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide
Unpacking the Campaigns
The initial domain, frecadsolutions[.]com, launched the malvertising effort with its domain hosted on the IP address 185.11.61[.]243 since early November.
The campaign rapidly expanded with subtle variations in domain names, such as frecadsolutions[.]cc, and spanned across multiple similar-sounding domains like freecad-solutions[.]net and rhino3dsolutions[.]io.
According to the Silent Push Research, “On November 14, 2024, a malvertising campaign was launched using frecadsolutions[.]cc (note the subtle TLD difference of “cc” vs. “com”), which had also been hosted on 185.11.61[.]243 since November 6, 2024. This made use of Bitbucket for its malicious download, which is normally a legitimate file hosting site.”
On December 9, 2024, a malvertising campaign was launched with onshape3d[.]org, which had been hosted on 185.147.124[.]110 from December 1, 2024, to present.
These domains shifted between the two identified IP addresses, indicating a coordinated effort by a single threat actor. The domains often used legitimate platforms like Bitbucket to host malicious files, exacerbating the threat by leveraging trusted names.
Despite these ongoing threats, there appears to be a significant oversight in response from major players such as Google.
Simple investigative techniques, like tracking hosting IP addresses back to similar domains, a task manageable even for junior threat analysts, seem to be overlooked. This lack of action underscores the challenge of addressing malvertising promptly and effectively.
Silent Push has taken proactive steps by compiling an Indicators of Future Attack (IOFA) Feed, focusing on malvertising domains and IPs. This feed is a crucial resource for enterprise users, providing data to enhance security protocols and detect potential threats.
The persistence of malvertising campaigns highlights the evolving landscape of cyber threats, emphasizing the need for robust investigative and preventive measures.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free