SecTopRAT bundled in Chrome installer distributed via Google Ads

SecTopRAT bundled in Chrome installer distributed via Google Ads

Criminals are once again abusing Google Ads to trick users into downloading malware. Ironically, this time the bait is a malicious ad for Google Chrome, the world’s most popular browser.

Victims who click the ad land on a fraudulent Google Sites page designed as a intermediary portal, similar to what we saw earlier this year with the massive Google accounts phishing campaign.

The final redirect eventually downloads a large executable disguised as Google Chrome which does install the aforementioned but also surreptitiously drops a malware payload known as SecTopRAT.

We have reported this incident to Google, but at the time of writing the fake Google Sites page is still up and running.

Distribution: Ad and Google Sites combo

We identified a suspicious ad when searching for “download google chrome“. If you look at the URL embedded in the sponsored result, you will notice it shows “https://sites.google.com“, which is Google’s free website builder.

While most pages hosted on there are legitimate, it’s good to remember that they are user generated and that abuse is a part of any open platform. It’s also a way for criminals to cleverly appear as legitimate when building fake ads.

SecTopRAT bundled in Chrome installer distributed via Google Ads 8
SecTopRAT bundled in Chrome installer distributed via Google Ads
SecTopRAT bundled in Chrome installer distributed via Google Ads 9

Malware payload

Once a user double clicks on GoogleChrome.exe the fake Chrome installer connects to hxxps[://]launchapps[.]site/getCode[.]php and retrieves the necessary instructions. Below, we can see how it requests to run as administrator in order to perform certain actions that require this access level.

A PowerShell command adds an exclusion path to the %appdata%Roaming directory so that Windows Defender does not trigger when the malware payload is extracted.

SecTopRAT bundled in Chrome installer distributed via Google Ads
SecTopRAT bundled in Chrome installer distributed via Google Ads 10

An encrypted data stream is downloaded from hxxps[://]launchapps[.]site/3[.]php?uuid={}_uuid and then decrypted:

SecTopRAT bundled in Chrome installer distributed via Google Ads
SecTopRAT bundled in Chrome installer distributed via Google Ads 11

The executable named decrypted.exe (PDB path: D:awix4wix4buildburnReleasex64burn.pdb) is then dropped to %AppData%RoamingBackupWin and unpacks the final payload, waterfox.exe. Side note: it has the same name and icon as the Waterfox browser (an open-source fork of the Firefox web browser).

SecTopRAT bundled in Chrome installer distributed via Google Ads
SecTopRAT bundled in Chrome installer distributed via Google Ads 12

The malicious code is then injected into the legitimate MSBuild.exe process which communicates with the attackers’ command and control infrastructure at the following IP: 45.141.84[.]208. From this, we identify the malware payload as SecTopRAT, a remote access Trojan with stealer capabilities.

Lastly, to make sure victims are completely fooled, it finishes by downloading and installing the legitimate Chrome browser. From the installation script, we see other campaigns the same threat actors are running in parallel for fake Notion and Grammarly installers.

SecTopRAT bundled in Chrome installer distributed via Google Ads
SecTopRAT bundled in Chrome installer distributed via Google Ads 13

Conclusion

Downloading and installing software provides an opportunity for threat actors as long as they are able to compromise the delivery chain. Search ads provide that entry point by leveraging the trust users have in their search engine. It is somewhat ironic but also damning when malicious ads impersonate the same platform that allows them in the first place.

The fake Chrome installer we reviewed in this blog post cleverly retrieved its malicious payload dynamically from a remote site and only decrypted it after making sure Windows Defender would not be able to scan it. The ruse was complete when the actual legitimate Google Chrome installer was downloaded and installed.

Malwarebytes users were already protected from this attack, with Browser Guard blocking the malicious ad and Premium Security Antivirus detecting the dropped payload.

SecTopRAT bundled in Chrome installer distributed via Google Ads
SecTopRAT bundled in Chrome installer distributed via Google Ads 14

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Indicators of Compromise

Google Sites

sites[.]google[.]com/view/gfbtechd/

Fake Chrome download

chrome[.]browser[.]com[.]de
chrome[.]browser[.]com[.]de/GoogleChrome.exe
48fdfbe23eef7eddff071d3eda1bc654b94cf86036ca1cca9c73b0175e168a55

Payload host

launchapps[.]site

decrypted.exe

f0977c293f94492921452921181d79e8790f34939429924063e77e120ebd23d7

waterfox.exe

0f9b2870c4be5ebacb936000ff41f8075ec88d6535161a93df8e6cfea2d8db54

C2

45.141.84[.]208



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.