Hackers Exploit Google Ads Tracking Feature To Deliver Malware

by Esmeralda McKenzie
Hackers Exploit Google Ads Tracking Feature To Deliver Malware

Hackers Exploit Google Ads Tracking Feature To Deliver Malware

Hackers Exploit Google Advertisements Monitoring Characteristic To Elevate Malware

Google Advertisements is a mountainous platform with a huge person defective, which makes it gorgeous to likelihood actors who must reach many targets precise now.

These malicious adverts can additionally be created or legit ones hijacked to unfold malware, phishing scams, and varied malicious narrate material round.

EHA

The complex advert focused on alternate suggestions on Google Advertisements enable hacking groups to specifically target some demographics, places, or interests which increases the prospects of success.

Google Advertisements’ pay-per-click on mannequin might maybe well also be deployed for false actions esteem click on fraud or draining selling budgets. Given the Google Advertisements alternate’s complexity and favorite reach, detecting and combating such threats is refined.

AhnLab Security Intelligence Heart (ASEC) has not too long ago chanced on that hackers are actively exploiting the Google Advertisements Monitoring honest to whine malware.

Hackers Exploit Google Advertisements Monitoring

AhnLab chanced on malware disguised as favorite groupware installers esteem Thought and Slack, distributed by procedure of Google Advertisements tracking. Upon execution, it fetches malicious payloads from attacker servers.

Whereas the identified malicious file names embody:-

  • Notion_software_x64_.exe
  • Slack_software_x64_.exe
  • Trello_software_x64_.exe
  • GoodNotes_software_x64_32.exe
URLs%20(Source%20 %20ASEC)
URLs (Supply – ASEC)

The advert instance reveals a tracking URL hidden from customers. Clicking the visible banner redirects customers to the concealed tracking template URL in preference to the displayed closing URL.

Redirection%20sequence%20(Source%20 %20ASEC)
Redirection sequence (Supply – ASEC)

The hackers abused the Google Advertisements tracking honest, which is supposed for web web page visitors prognosis, to distribute malware from a malicious put of residing as a replace of legit analytics.

When active, the malicious advert redirected clickers to download erroneous files beneath counterfeit pretenses earlier than its elimination.

Here beneath now we have mentioned the redirection cope with:-

1. hxxps://www.googleadservices[.]com/pagead/aclk? sa=L&ai=DChcSEwjvxY_g38yEAxX96RYFHbN_DHwYABAAGgJ0bA&ase=2&gclid=CjwKCAiArfauBhApEiwAeoB7qFTSv58y3y V4nTuE_ptW9t-YIT1- Y_jH70VIcuKX3qsNu9u5d2TplRoCKDwQAvD_BwE&ohost=www.google.com&cid=CAESVeD21RQt4fRwNUkcEV8_EYQ96O MpQS8F7ZevrgG_k_jZewow_akDRbQ3vK-L7r7Z7yVUCyf4YKpyZrJCjoIkJjEcGbU1LviHlcWC8x9hRsFbAGy8Sbc&sig=AOD64_3Ho3r-SX_3edPZOWfLXPSWeCY1SQ&q&nis=6&adurl&ved=2ahUKEwibkYng38yEAxWScPUHHRJlCjAQ0Qx6BAgFEAE

2. hxxps://pantovawy.web page[.]hyperlink/jdF1/?url=https://www.procedure.so/pricing%3Fgad_source%3D1&id=8

3. hxxps://cerisico[.]accumulate/

Here beneath now we have mentioned the closing touchdown web page:-

  • hxxps://notione.my-apk[.]com

The closing touchdown web page mimicked legit groupware sites, tricking guests into downloading and running the malware.

Whereas submit-execution, the malware fetched malicious payload addresses from text-sharing sites esteem tinyurl.com and textbin.accumulate.

These shared URLs then equipped the explicit malware download hyperlinks hosted on compromised domains esteem slashidot.org, yogapets.xyz, bookpool.org, and birdarid.org, completing the multi-stage infection assignment.

The Rhadamanthys infostealer malware fetched from the malicious hyperlinks gets injected into legit Windows %system32% files esteem dialer.exe, openwith.exe, dllhost.exe, and rundll32.exe.

Working by procedure of relied on binaries permits it to stealthily draw terminate non-public recordsdata.

This case confirms attackers exploit Google Advertisements and varied search engine advert tracking to distribute malware. Users might maybe aloof in moderation verify the URL when having access to sites, and never have faith the marketed banner URL.

IoCs

MD5s

  • 9437c89a5f9a51a4ff6d6076083fa6c9
  • 12b6229551fbb1dcb2823bc8b611300f
  • 33aa3073d148816e9e8de0af4f84582e
  • f0a3499f83d2d9066ab19d39b9af6696
  • 2498997ab3e66e24bc08d044e0ef4418
  • f2590ece758eb32302c504ac3ff413f4
  • eef03c8cd2f27ead8b2d59d5cda4cf6e
  • 9034cf58867961cde08a20cb1057c490
  • f7200603cb8aa9e2b544255ed848c9c0

URLs

  • hxxp://tinyurl[.]com/4jnvfsns
  • hxxp://tinyurl[.]com/4a3uxm6m
  • hxxps://textbin[.]accumulate/raw/oumciccl6b
  • hxxp://tinyurl[.]com/mrx7263e
  • hxxp://tinyurl[.]com/253x7rnn
  • hxxps://slashidot[.]org/@abcDP.exe
  • hxxps://yogapets[.]xyz/@abcmse1.exe
  • hxxps://bookpool[.]org/@Incorrect.exe
  • hxxp://birdarid[.]org/@abcDS.exe
  • hxxps://alternativebehavioralconcepts[.]org/databack/notwin.php
  • hxxps://pantovawy.web page[.]hyperlink/jdF1/?url=https://www.procedure.so/pricing%3Fgad_source%3D1&id=8
  • hxxps://cerisico[.]accumulate/

File Detection

  • Trojan/Get dangle of.Agent.C5595056 (2024.02.29.02)
  • Trojan/Get dangle of.Agent.C5592526 (2024.02.23.02)
  • Trojan/Get dangle of.Agent.C5594794 (2024.02.28.03)
  • Trojan/Get dangle of.Rhadamanthys.R636740 (2024.02.27.00)

Habits Detection

  • Injection/MDP.Event.M10231

Preserve up in the past on Cybersecurity recordsdata, Whitepapers, and Infographics. Practice us on LinkedIn & Twitter.

Source credit : cybersecuritynews.com

Related Posts