RomCom ransomware is being spread via poisoned Google adverts for legitimate software companies including Chat-GPT, PDF Reader Pro and Devolutions’ Remote Desktop Manager.
According to researchers at IT security company Trend Micro, malicious actors are using Google advertisements for trusted companies to entice people into clicking on the advert and downloading RomCom ransomware onto their devices. The malicious actors are doing this through the use of fake sites set up to look like legitimate ones with poisoned uploads that execute the malware on victims’ devices once it is downloaded.
By using paid advertisements slots and SEO tactics, malicious actors can ensure that the poisoned uploads remain at the top of Google’s search results, meaning that more people are likely to fall victim to these trojanized adverts.
RomCom ransomware has been linked to a Cuban ransomware affiliate dubbed ‘Tropical Scorpius’ by Trend Micro. The malware is responsible for a number of attacks across the globe, including those against Ukrainian government agencies in October 2022.
Once it is downloaded onto a device, the backdoor malware can cause damage to victims in a number of ways, including executing more malicious files on the infected device, running malicious programs and exfiltrating data from the compromised devices. It can also run spyware in hidden windows, set up proxy servers for malicious activities and even compress and send files on the infected device to servers owned by the malicious actors.
RomCom ransomware also has the ability to take screenshots on the device, meaning that any confidential, personal or compromising information entered into the device can be used by the hackers for their own means. This includes gaining access to financial services like banks, cryptocurrency wallets and other payment services, access chat messages stored on the device and steal all login credentials entered into the device.
Bumblebee ransomware spread via poisoned Google ads
In April of this year, it was found that malicious actors were employing SEO tactics and paying for targeted advertisements to entice victims into clicking on malware.
Cyber security company Secureworks found malicious actors had been using poisoned ad installers as trojans to spread Bumblebee malware. These ad installers were associated with a number of well-known companies including Zoom, Citrix Workspace, Cisco AnyConnect and OpenAI’s ChatGPT. For example, Secureworks researchers found that a malicious actor had not only created a poisoned ad installer for Cisco AnyConnect, but a fake download page for the malware as well. They were able to do this by exploiting a compromised WordPress site.
Once Bumblebee malware is downloaded, malicious actors most often use it to launch ransomware within the infected device. In one case, Secureworks researchers found that the malicious actor moved laterally across the device, downloading and launching a number of applications and software programs including legitimate remote access tools AnyDesk and Dameware as well as penetration testing malware Colbalt Strike.