Skip to content

Hackers Exploit Google Ads Tracking Feature To Deliver Malware

  • by

[[{“value”:”

Google Ads is a big platform with a wide user base, which makes it attractive to threat actors who want to reach many targets at once.

These malicious ads can also be created or legitimate ones hijacked to spread malware, phishing scams, and other malicious content around. 

The complex ad targeting options on Google Ads enable hacking groups to specifically target some demographics, locations, or interests which increases the chances of success. 

Google Ads’ pay-per-click model could be deployed for fraudulent actions like click fraud or draining advertising budgets. Given the Google Ads industry’s complexity and widespread reach, detecting and preventing such threats is difficult.

AhnLab Security Intelligence Center (ASEC) has recently discovered that hackers are actively exploiting the Google Ads Tracking feature to deliver malware.

Hackers Exploit Google Ads Tracking

AhnLab discovered malware disguised as popular groupware installers like Notion and Slack, distributed via Google Ads tracking. Upon execution, it fetches malicious payloads from attacker servers. 

While the identified malicious file names include:-

Notion_software_x64_.exe

Slack_software_x64_.exe

Trello_software_x64_.exe

GoodNotes_software_x64_32.exe

URLs (Source – ASEC)

The ad example shows a tracking URL hidden from users. Clicking the visible banner redirects users to the concealed tracking template URL rather than the displayed final URL.

Redirection sequence (Source – ASEC)

The hackers abused the Google Ads tracking feature, which is intended for website traffic analysis, to distribute malware from a malicious site instead of legitimate analytics. 

When active, the malicious ad redirected clickers to download harmful files under false pretenses before its removal.

Here below we have mentioned the redirection address:-

1. hxxps://www.googleadservices[.]com/pagead/aclk? sa=L&ai=DChcSEwjvxY_g38yEAxX96RYFHbN_DHwYABAAGgJ0bA&ase=2&gclid=CjwKCAiArfauBhApEiwAeoB7qFTSv58y3y V4nTuE_ptW9t-YIT1- Y_jH70VIcuKX3qsNu9u5d2TplRoCKDwQAvD_BwE&ohost=www.google.com&cid=CAESVeD21RQt4fRwNUkcEV8_EYQ96O MpQS8F7ZevrgG_k_jZewow_akDRbQ3vK-L7r7Z7yVUCyf4YKpyZrJCjoIkJjEcGbU1LviHlcWC8x9hRsFbAGy8Sbc&sig=AOD64_3Ho3r-SX_3edPZOWfLXPSWeCY1SQ&q&nis=6&adurl&ved=2ahUKEwibkYng38yEAxWScPUHHRJlCjAQ0Qx6BAgFEAE

2. hxxps://pantovawy.page[.]link/jdF1/?url=https://www.notion.so/pricing%3Fgad_source%3D1&id=8

3. hxxps://cerisico[.]net/

Here below we have mentioned the final landing page:-

hxxps://notione.my-apk[.]com

The final landing page mimicked legitimate groupware sites, tricking visitors into downloading and running the malware.

While post-execution, the malware fetched malicious payload addresses from text-sharing sites like tinyurl.com and textbin.net. 

These shared URLs then provided the actual malware download links hosted on compromised domains like slashidot.org, yogapets.xyz, bookpool.org, and birdarid.org, completing the multi-stage infection process.

The Rhadamanthys infostealer malware fetched from the malicious links gets injected into legitimate Windows %system32% files like dialer.exe, openwith.exe, dllhost.exe, and rundll32.exe.

Running via trusted binaries allows it to stealthily steal private data. 

This case confirms attackers exploit Google Ads and other search engine ad tracking to distribute malware. Users should carefully verify the URL when accessing sites, and not trust the advertised banner URL.

IoCs

MD5s

9437c89a5f9a51a4ff6d6076083fa6c9

12b6229551fbb1dcb2823bc8b611300f

33aa3073d148816e9e8de0af4f84582e

f0a3499f83d2d9066ab19d39b9af6696

2498997ab3e66e24bc08d044e0ef4418

f2590ece758eb32302c504ac3ff413f4

eef03c8cd2f27ead8b2d59d5cda4cf6e

9034cf58867961cde08a20cb1057c490

f7200603cb8aa9e2b544255ed848c9c0

URLs

hxxp://tinyurl[.]com/4jnvfsns

hxxp://tinyurl[.]com/4a3uxm6m

hxxps://textbin[.]net/raw/oumciccl6b

hxxp://tinyurl[.]com/mrx7263e

hxxp://tinyurl[.]com/253x7rnn

hxxps://slashidot[.]org/@abcDP.exe

hxxps://yogapets[.]xyz/@abcmse1.exe

hxxps://bookpool[.]org/@Base.exe

hxxp://birdarid[.]org/@abcDS.exe

hxxps://alternativebehavioralconcepts[.]org/databack/notwin.php

hxxps://pantovawy.page[.]link/jdF1/?url=https://www.notion.so/pricing%3Fgad_source%3D1&id=8

hxxps://cerisico[.]net/

File Detection

Trojan/Win.Agent.C5595056 (2024.02.29.02)

Trojan/Win.Agent.C5592526 (2024.02.23.02)

Trojan/Win.Agent.C5594794 (2024.02.28.03)

Trojan/Win.Rhadamanthys.R636740 (2024.02.27.00)

Behavior Detection

Injection/MDP.Event.M10231

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

The post Hackers Exploit Google Ads Tracking Feature To Deliver Malware appeared first on Cyber Security News.

“}]] 

Read More  Cyber Security News