Searching for distributions of popular software via Google has always posed a certain risk, but in recent days cyber criminals have become much more active – links to resources with malicious downloads are displayed in an advertising block above organic search results. Google itself is not taking any visible action, writes Ars Techinca referring to information from Spamhaus.
The links in the ads open pages that download fake installer files for such popular programs as Adobe Reader, GIMP, Microsoft Teams, OBS, Slack, Tor, MSI Afterburner, and Thunderbird. In reality, computers are infected with AuroraStealer, IcedID, Meta families of viruses* Stealer, RedLine Stealer, Vidar, Formbook and Xloader. Previously, this malware was distributed via phishing campaigns and spam, but in the last month cyber criminals have turned to Google Ads advertising platform that displays ads in search results.
The malware uses sophisticated virtualization mechanisms to make detection more difficult and sends multiple HTTP requests to different addresses, only one of which belongs to the real control server hosted by public cloud providers like Azure, Tucows, Choopa, and Namecheap.
A Google spokesman said cyber criminals often use sophisticated mechanisms to disguise malicious activity, and the company has been doing this for the past few years “new certification guidelines introduced”aim to verify advertisers. The company is aware of the increase in fraudulent activity over the past few days – fighting it is a priority.
* It is included in the list of public associations and religious organizations for which the court made a final decision, activities on the grounds of Federal Law No. 114-FZ of July 25, 2002 “On Combating Extremist Activity”.