With the rise of online advertising, malvertisers have identified a new avenue for their nefarious activities. By leveraging Google Ads, they are specifically targeting users who search for popular software, such as Notepad++ and PDF converters. This insidious campaign involves directing unsuspecting victims to fictitious landing pages, deploying next-stage payloads, and employing various techniques to evade detection and maximize their reach.
Malvertisers are targeting users searching for popular software through Google Ads
Malvertisers aim to exploit the trust users have in Google Ads by delivering malicious content to individuals actively seeking legitimate software solutions.
Use of fictitious landing pages and distribution of next-stage payloads
Malvertisers employ a two-stage attack approach. Initially, users are redirected to deceptive landing pages masquerading as official software websites. These pages appear legitimate and prompt unsuspecting visitors to download software installers, unknowingly infecting their systems.
Singling out users searching for Notepad++ and PDF converters
The campaign specifically targets users searching for Notepad++ and PDF converters, capitalizing on the popularity and widespread use of these applications. Malvertisers precisely tailor their ads to capture the attention of individuals seeking these specific software solutions.
Utilization of decoy sites to filter out bots and unintended IP addresses
To avoid detection and narrow their focus on genuine users, malvertisers employ decoy sites. These dummy sites are presented to filter out bots and unintended IP addresses, ensuring that only real potential victims proceed to the next stage.
Silent fingerprinting of the system to identify virtual machines
To further enhance their targeting, malvertisers silently fingerprint the user’s system to detect if it’s a virtual machine. If identified as such, the user is redirected to the legitimate Notepad++ website, adding an additional layer of deception.
Users who fail the system check and are identified as using virtual machines are redirected to the legitimate Notepad++ website, leading them to believe they have narrowly escaped encountering malware.
Users who pass the fingerprinting check are redirected to a meticulously crafted replica website, seemingly promoting the sought-after software. Unbeknownst to the victims, this website is controlled by the malvertisers and serves as a gateway for the further deployment of malware.
Assigning unique IDs to potential targets for tracking purposes
Malvertisers assign unique IDs to potential targets as a means of tracking their activities and effectiveness. This allows them to refine their campaign, optimize their approach, and potentially target victims across multiple phases.
The final stage malware
The last stage in the malvertising campaign involves distributing an HTML Application (HTA) payload. This payload establishes a connection to a remote domain controlled by the malvertisers, providing them with unauthorized access to infected systems and opportunities for information theft.
In an alarming twist, malvertisers combine Punycode, a technique for representing Unicode characters with ASCII, with rogue Google Ads. This enables them to conduct homograph attacks, tricking users into clicking on ads that resemble legitimate software websites but contain malicious intent.
The utilization of Google Ads by malvertisers to target users searching for popular software poses a significant threat to online privacy and security. To protect against such attacks, users should exercise caution when downloading software from unknown sources and ensure they are accessing legitimate websites. Maintaining up-to-date antivirus software, conducting regular system scans, and staying informed about the latest malvertising techniques are crucial steps in mitigating the risk. It is of utmost importance for online platforms, including Google, to strengthen their ad-filtering mechanisms and enhance measures to effectively tackle malvertisements. By working together, users, organizations, and advertising platforms can collectively combat this growing menace and safeguard the integrity of online software distribution.