A sophisticated Slack malvertising campaign targeting users has been found exploiting Google search ads to deliver malware. This stealthy attack highlights the evolving tactics of cybercriminals and the need for heightened vigilance among internet users.
The campaign, which lasted several days, involved a suspicious ad for Slack appearing in Google search results. While initially harmless, the ad eventually led users through a complex chain of redirects, ultimately serving malware to unsuspecting victims.
Slack Malvertising Campaign Manipulates Google Ads
At first glance, the Slack malvertising ads seemed legitimate, even outranking the official Slack website in search results. However, upon closer inspection by researchers from MalwareBytes, it became clear that something was amiss, as the ad’s advertiser had been promoting products targeted at the Asian market while being displayed in an entirely different region.
The researchers were able to use contextualized detection, a technique they had used in the past to identify compromised advertiser accounts, to reveal that the ad was likely malicious. The ad had been labeled by the team as ‘cooking’ – a common practice where malicious ads are left idle for an initial duration to avoid triggering detection.
The ad’s behavior eventually changed and redirected to a click tracker, which sent user traffic to a domain of the attacker’s own choosing and led to the final URL, slack-windows-download[.]com, that had been created just a week prior to the attack.
While visitors were initially shown a decoy page, the researchers discovered after tweaking settings that the malicious page could be revealed, which impersonated the official Slack page and offered a download link to unsuspecting victims. This behavior is known as cloaking, where different users are shown different content.
The ad’s redirect chain was complex, involving a click fraud detection tool, followed by a click tracker, and finally, a cloaking domain. This deep layering made it difficult for the researchers to evaluate the ad without specialized tooling and knowledge of the threat actor’s tactics, techniques, and procedures (TTPs).
Upon clicking the download button, a file download had been triggered from another domain, hinting at a parallel campaign targeting Zoom. Dynamic analysis revealed a remote connection to a server previously used by the SecTopRAT remote access Trojan, which has stealer capabilities.
The threat actors behind this campaign employed several identified methods to avoid detection:
- Ad ‘cooking’: The malicious ad remained dormant for days, redirecting to legitimate Slack pages before activating its payload.
- Click tracking abuse: The attackers used click tracking services to obscure the final destination from Google’s security measures.
- Cloaking: Different content was served to different users, making it difficult to identify the malicious nature of the landing page.
- Multi-layered redirects: A series of redirects, including fraud detection tools and tracking links, further obfuscated the attack chain.
Malware Delivery and Implications
The final payload of the campaign, SecTopRAT, a remote access Trojan with data-stealing capabilities, is used by the attackers to firmly establish a connection to a command and control server, potentially compromising the systems and data of targeted victims.
As malvertisers continue to exploit legitimate platforms and employ sophisticated evasion techniques, both individuals and organizations must remain vigilant against these tactics and employ multi-layered security approaches to protect against such threats.