Hackers are setting up fake websites for popular free and open-source software to promote malicious downloads through advertisements in Google search results.
At least one prominent user on the cryptocurrency scene has fallen victim to the campaign, claiming it allowed hacker hackers steal all their digital crypto assets along with control over their professional and personal accounts.
Over the weekend, crypto influencer Alex, better known by their online persona NFT God, was hacked after launching a fake executable for the Open Broadcaster Software (OBS) video recording and live streaming software they had downloaded from a Google ad in search results.
“Nothing happened when I clicked the EXE,” Alex wrote in a Twitter thread recounting their experience over the weekend. However, a few hours later friends alerted them that their Twitter account had been hacked.
Unbeknownst to Alex, this was likely an information-stealing malware that stole their saved browser passwords, cookies, Discord tokens, and cryptocurrency wallets and sent them to a remote attacker.
Soon, Alex found that their account at the OpenSea NFT marketplace had also been compromised and a different wallet was listed as the owner of one of their digital assets.
“I knew at that moment it was all gone. Everything. All my crypto and NFTs ripped from me,” NFT God says in the thread.
Soon, Alex discovered that their Substack, Gmail, Discord, and cryptocurrency wallets suffered the same fate and were controlled by the hackers.
While this is not a new stratagem, threat actors appear to use it more often. In October last year, BleepingComputer reported on a massive campaign that relied on more than 200 typosquatting domains for over two dozen brands to mislead users.
The distribution method was unknown at the time but separate reports in December from cybersecurity companies Trend Micro and Guardio revealed that hackers were abusing the Google Ads platform to push malicious downloads in search results.
Flurry of malicious ads in Google search results
Following NFT God’s thread, BleepingComputer conducted its own research and uncovered that OBS is one in a long list of software that threat actors impersonate to push malicious downloads in Google Ads search results.
One example we found is a Google Ad search result for Rufus, a free utility for creating bootable USB flash drives.
The threat actor registered domains that resemble the official one and copied the main part of the legitimate site up to the download section.
In one case, they used the generic top-level domain “pro,” likely in an attempt to pique victim interest and attract with the promise of a wider set of program features.
To note, there is no advanced variant of Rufus. There is only one edition available as an installable or portable variant hosted on GitHub.
For the malicious version, the download goes to a file transfer service. Because it is an archive bomb, many antivirus engines do not detect it as a threat.
Another popular program impersonated is the text and source code editor Notepad++. The threat actor used typosquatting to create a domain similar to the legitimate one from the official developer.
Security researcher Will Dormann found that fake Notepad++ downloads in the sponsored section of Google search were available from additional URLs, all files being marked as malicious by various antivirus (AV) engines on the Virus Total scanning platform.
BleepingComputer also found a website filled with fake software downloads distributed solely via Google Ads search results. The website impersonates what appears to be a legitimate web design company in India called Zensoft Tech.
Unfortunately, we could not verify if the downloads were malicious but given that the domain is a typosquatted URL, the site blocks search engines from indexing content and promoting the downloads only through ads in search results, there is a strong indication of malicious activity.
Among the pieces of software we discovered on the website are the file compression utilities 7-ZIP and WinRAR, and the widely used media player VLC.
From a different domain, threat actors provided a malicious version of the CCleaner utility for removing potentially unwanted files and invalid Windows Registry entries.
It appears that the hackers made an effort to outbid the legitimate developer and thus have their ad in the top position. As seen in the image below, the official CCleaner website is displayed under the malicious advertisement. This site offered a CCleaner.zip file that installed Redline information-stealing malware.
Several security researchers (mdmck10, MalwareHunterTeam, Will Dormann, Germán Fernández) have uncovered additional URLs hosting malicious downloads impersonating free and open-source software, confirming that luring users through sponsored results on Google search is a more common approach for cybercriminals.
Germán Fernández of cybersecurity company CronUp provides a list of 70 domains that are distributing malware through Google Ads search results by impersonating legitimate software.
The websites are replicas of the official ones and either provide fake software or redirect to another download location. Many of them offer Audacity and some are for VLC and the image editor GIMP.
One user almost fell for the trick when looking to get the Blender 3D open-source 3D creation suite. A tweet from MalwareHunterTeam shows that three malicious ads for this product preceded the link from the official developer.
Looking at one of the samples flagged as malicious by some AV products, security researcher Will Dormann noticed that it had an invalid signature from cybersecurity company Bitdefender.
Although BleepingComputer could not check in all cases the malware delivered this way, in some instances the payload was the RedLine Stealer we saw in the fake CCleaner site.
This malware collects sensitive data from browsers (credentials, credit card, autocomplete info), details about the system (username, location, hardware, security software available), and cryptocurrency.
Fernández found that one threat actor distributed the .NET-based remote access trojan SectoRAT, also known as Arechclient2, via fake downloads for the Audacity digital audio editor.
The researcher also came across the Vidar info-stealer delivered via malicious downloads for Blender 3D advertised in Google Search. Vidar is focused on collecting sensitive info from browsers and can also steal cryptocurrency wallets.
After publishing this article, researchers at HP Wolf Security released a report about similar campaigns, noting that the first one they analyzed dated from November 2022.
Some of the malware they saw delivered through fake software malvertising includes the IcedID trojan, Vidar, Rhadamanthys Stealer and BatLoader.
At the moment, BleepingComputer and multiple security researchers have seen malicious ads in Google search results for the following software:
- 7-Zip
- Blender 3D
- Capcut
- CCleaner
- Notepad++
- OBS
- Rufus
- VirtualBox
- VLC Media Player
- WinRAR
- Putty
BleepingComputer has shared some of these findings with Google and a company representative told us that the platform’s policies are designed and enforced to prevent brand impersonation.
“We have robust policies prohibiting ads that attempt to circumvent our enforcement by disguising the advertiser’s identity and impersonating other brands, and we enforce them vigorously. We reviewed the ads in question and have removed them” – Google
At the time of writing this article, Google said it would check if additional advertisements and sites reported violated their policies and would take appropriate action if needed. The company has completed this process and removed the reported malicious ads.
Ad-blockers could increase protection
Using sponsored ads in search results as a malware delivery channel has been flagged by the FBI in an alert last year before Christmas.
The agency warned that “these advertisements appear at the very top of search results with minimum distinction between an advertisement and an actual search result” and they link to a website that “looks identical to the impersonated business’s official webpage.”
Because of this, cybercriminals have a better chance of spreading their malware to a larger pool of unsuspecting users.
Checking the URL of a download source is always good advice. Coupled with the use of an ad-blocker, the level of protection against this type of threat should decrease drastically.
Ad-blockers are available as extensions in most web browsers and, as their name says, they stop advertisements from being loaded and displayed on a web page, including search results.
Apart from adding to more comfortable use of the internet, ad-blockers also step up privacy by preventing tracking cookies in advertisements from collecting data about your browsing habits.
In this case, however, such extensions could make the difference between losing access to your sensitive information or online accounts and getting digital resources from legitimate vendors.
Update [January 18, 2023]: Article updated to reflect that Google reviewed additional malicious ads reported and removed them after publishing this article. Initially, the company received only a smaller set of malicious ads and removed them from the platform.
Added new details from HP Wolf Security research finding other malware delivered through fake software advertising campaigns since November 2022.