.png){kind=small}
Google is the largest search engine with the most users on the face of the planet. Its ad platform, dubbed Google Ads, is used by advertisers worldwide to show ads on search results pages and on third-party websites.
According to the latest report by Guardio Labs, cyber-criminal groups are abusing the powerful advertisement platform to promote rogue search results in mass. Their aim is to trick users into visiting phishing pages and downloading malicious software. These malicious software mimic legitimate applications such as: AnyDesk, Dashlane, Grammarly, Malwarebytes, Microsoft Visual Studio, MSI Afterburner, Slack, Zoom, Audacity, OBS, Libre Office, Teamviewer, Thunderbird, Brave, and more.
How MasquerAds Work
The genius of the MasquerAds campaign is that it’s simple, yet extremely lethal. This is because it abuses the trust users have on the highly reputable search engine, and consequently its search results (whether organic or promoted).
As a user, let’s say you are searching for the Grammarly application. Google will display the search results, and the the official (probably promoted) Grammarly website will be at or near the top of the search results page. Once you click on the link, you will be redirected to the official website or landing page of Grammarly.
In the case of MasquerAds, the cyber criminals create clones of original websites like Grammarly, Thunderbird, Malwarebytes, MSI Afterburner, Dashlane, and Slack among others. They then use typo-squatted domain names that are similar to the original websites e.g. grammalry.org (the legitimate domain name is grammarly.org) to further create the perception of legitimacy, and promote the illegitimate sites with appropriate keywords to keep them valid and safe in the eyes of the policy enforcer (Google).
Yet, the moment those “disguised” sites are being visited by targeted visitors (those who actually click on the promoted search result) the server immediately redirects them to the rogue site which uses another typo-squatted domain name (e.g. gramm-arly.org) and from there to the malicious payload — usually also hiding inside reputable file sharing and code hosting servers like GitHub, Dropbox, discord’s CDN, etc.
The user then inadvertently downloads malware on their device thinking that they are downloading the legitimate application. There are multiple versions of malware such as IcedID malware loader, Vidar Stealer, RedLine Information Stealer, and variants of Raccoon Stealer that are injected into the client’s device where the browser is not aware of it at all.
To avoid detection, MasquerAds employ multiple strategies, e.g:
Server-side redirection: The redirect to the rogue site happens on the server side thus Google doesn’t detect the phishing site.
Bundled with the actual software: A target downloading Grammarly from the phishing site will get the legitimate version of Grammarly. But it’s bundled with an executable file that wreaks damage under the hood.
Bloated files: The malware executable is bloated with zero files to make it larger than 500 MB or so — the max size an automated malware scanner allows. Furthermore, less than 1% of the code is tainted with malicious snippets. As a result, it can fly under the radar of most endpoint detection tools.
Changing payloads periodically: The malware in the payload is periodically changed. One day, they’ll employ a Raccoon Stealer from Dropbox, and on another, a Vidar Stealer from Github. Yet, this doesn’t change the downloadable Grammarly.exe file.
Guardio Labs is attributing a huge chunk of the activity to a threat actor it is tracking under the name Vermux, noting that the adversary is "abusing a vast list of brands and keeps on evolving”. Vermux is leveraging massive amounts of “masquerAds” sites and domains served mostly from Russia to target USA and Canada residents’ GPUs (for crypto mining) and Crypto Wallets.
How to Protect Ourselves
Cybercriminals are employing increasingly creative ways to target unwary users and businesses. To thwart their attempts, different organizations should take appropriate steps to prevent the proliferation of malware through MasquerAds. For instance:
Google can block the campaign of these ads in case it detects that the said ad is packing in malware.
The file hosting services need to make more effort to ensure the files they host are legitimate.
Endpoint detection tools need to be upgraded and made more robust in their operations so as to easily detect malware.
On an individual level, we can also protect ourselves through:
Using reputable and updated endpoint detection and response tools.
Always double checking domain names and being careful where we download our files.
Comments