Cybercrime
,
Fraud Management & Cybercrime
Malvertising Service Uses Google Ads and Decoy Pages for Malware Distribution
Cybercriminals increasingly use malicious ads through search engines to deploy new malware targeting businesses, marking a rise in browser-based attacks, including social engineering campaigns.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail’s ATO & Fraud Prevention Challenge
Researchers at Malwarebytes observed PikaBot, a malware family that appeared in early 2023, being distributed via malvertising and used by a threat actor known as TA577.
The latest campaign involves exploiting search ads, and indications suggest the existence of specialized services to aid malware distributors in circumventing Google’s security measures.
This tactic enables them to establish decoy infrastructures, reminiscent of previously identified malvertising chains employed to disseminate threats such as FakeBat.
Researchers at Unit42 in February linked PikaBot to a Matanbuchus drop in a malspam campaign attributed to TA577 by Proofpoint. Researchers have seen the threat actor distribute payloads such as QakBot, IcedID, SystemBC, and Cobalt Strike.
TA577 has also been tied to ransomware distribution. After the August QakBot botnet takedown, Cofense researchers observed an uptick in malspam campaigns delivering both DarkGate and PikaBot.
The typical PikaBot distribution chain involves emails leading users to download a zip archive containing malicious JavaScript.
The JavaScript generates a random directory structure to fetch the malicious payload from an external website and executes it via a Windows operation system function used to run DLLS called rundll32
.
This campaign focuses on Google searches for the remote application AnyDesk, and security researcher Colin Cowie identified the distribution chain and confirmed the payload as PikaBot, according to Ole Villadsen.
Another instance of this campaign used an ad pretending to be from the fake persona “Manca Marina” associated with the AnyDesk brand, featuring a decoy website at anadesky.ovmv.net
.
The download is a digitally signed MSI installer, noteworthy for having zero detection on VirusTotal when collected. Of particular interest is its ability to evade detection upon execution.
Similarities With FakeBat
The threat actors exploit a tracking URL through a legitimate marketing platform to bypass Google’s security checks, redirecting to their custom domain behind Cloudflare. Only clean IP addresses proceed to the next step, researchers said.
The threat actors use JavaScript for fingerprinting and to check if the user runs a virtual machine before redirecting to the main landing page, which is a decoy AnyDesk site. After a successful check, a second fingerprinting attempt occurs when the user clicks the download button, likely to ensure the link doesn’t work in a virtualized environment.
Previous malvertising chains, using onelink.me
and similar URL structures, were reported to Google and targeted Zoom and Slack search ads and identified payloads such as FakeBat. Researchers said that this pattern suggests a common process among threat actors, possibly indicative of a malvertising-as-a-service model providing Google ads and decoy pages to malware distributors.