Security researchers are warning that Google Ads are being actively leveraged to distribute malware to unsuspecting victims searching for software downloads.
On January 20, CronUp researcher Germán Fernández warned that the DEV-0569 ransomware group is using Google Ads to distribute Gozi/Ursnif malware, RedLine stealer, and Royal ransomware.
“For deployment, they use Add-MpPreference to configure exclusions in Windows Defender (extensions, paths and processes), NSudo to launch binaries with full privileges and GnuPG to encrypt the payloads,” Fernández added, noting that as a result, the initial file triggers no hits in VirusTotal.
Also read: Ransomware Protection: How to Prevent Ransomware Attacks
Compromised Domains Redirected
The Google Ads used for the campaign, Fernández wrote, use several compromised domains that redirect to the malicious sites based on the Google Ad campaign ID – so if you’re not visiting via Google, no redirect is triggered.
On January 23, Fernández noted that the TA505 group is launching similar campaigns.
And the campaigns appear to be ongoing.
MalwareHunterTeam reported that a Google search for “libreoffice” yielded two ads linking to malicious domains, which were prioritized over a legitimate listing.
Researcher Will Dormann responded, “Interesting that the malware ad is given priority over the real LibreOffice ad. I wonder whether:
- Threat actor paid more for their ad placement?
- The TA asked nicely for preferential treatment?
- Google believes that the malware download page is more legit than the real one?”
Google is trying to respond – the company told Bleeping Computer that it’s removing the malicious ads whenever they’re detected, stating, “We have robust policies prohibiting ads that attempt to circumvent our enforcement by disguising the advertiser’s identity and impersonating other brands, and we enforce them vigorously.”
In the meantime, the companies and open source projects whose software is being used as a lure are increasingly aware of the problem. One of them, the OBS Project, recently tweeted, “We are still seeing many users fall victim to fake websites in Google sponsored links distributing malware. Many of them mimic the appearance of the real site. We do not have any ads for OBS! Please ONLY download from our official website obsproject.com or our GitHub!”
NFT influencer “NFT God” lost what he called “a life changing amount of my net worth” after trying to download OBS via a sponsored link from a Google search.
Instead of receiving the software, he inadvertently installed malware that enabled attackers to steal all his cryptocurrency and NFTs, take over his Substack, and send emails with hacked links to his 16,000 subscribers.
How to Respond to the Google Ad Threat
Nextron Systems head of research Florian Roth advised, “In a time in which online ads mostly link to malware, ad blockers should be considered as self-defense and their use an essential contribution to a solid security posture.”
More broadly, the Deutsche Telekom CERT suggested, “To protect from this threat, online users should check twice before downloading files from dubious websites. When in doubt, users can check a trusted source to find the legitimate URL of a given product or software.”
“Companies should set up policies to block software from untrusted sources,” they added. “Software that is needed for normal business operation should be provided through trusted repositories. Furthermore, EDR solutions can help to spot suspicious information stealer behavior.”
Also read: Top Endpoint Detection & Response (EDR) Solutions
Hive Ransomware Group Disrupted
Cyber defenders also got some good news for a change: The U.S. Department of Justice today announced a globally coordinated effort to disrupt the operations of the Hive ransomware group.
Since July 2022, the DoJ said the FBI has “penetrated Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded.”
Since infiltrating Hive’s network, the FBI has provided more than 300 decryption keys to Hive victims who were under attack, and distributed more than 1,000 additional decryption keys to previous Hive victims.
And in coordination with German law enforcement and the Netherlands National High Tech Crime Unit, authorities have “seized control of the servers and websites that Hive uses to communicate with its members, disrupting Hive’s ability to attack and extort victims.”
Read next: How to Decrypt Ransomware Files – And What to Do When That Fails