A malvertising campaign has emerged that takes advantage of Google Ads to direct users searching for popular software to fictitious landing pages and distribute next-stage payloads, a new report has found.

According to the cybersecurity company Malwarebytes, the malvertising campaign is “unique in its way to fingerprint users and distribute time-sensitive payloads”.

The attack targets users searching for Notepad++ and PDF converters with fake ads on Google search. These ads take users to a decoy site after filtering out bots and unwanted IP addresses.

The victim is redirected to a fake website advertising the software, while silently fingerprinting the system to determine if the request is originating from a virtual machine.

Users who fail the security check are redirected to the legitimate Notepad++ website. Potential targets are assigned a unique ID for tracking and to make each download unique and time-sensitive, according to the report.

Buy Me a Coffee

The final-stage malware establishes a connection to a remote domain (“mybigeye[.]icu”) on a custom port and serves follow-on malware through an HTA payload.

“Threat actors are successfully applying evasion techniques that bypass ad verification checks and allow them to target certain types of victims,” said Jerome Segura, director of threat intelligence, at Malwarebytes.

“With a reliable malware delivery chain in hand, malicious actors can focus on improving their decoy pages and craft custom malware payloads,” he added.

Users who land on the decoy site are tricked into downloading a malicious installer, which then executes FakeBat (a.k.a EugenLoader), a loader designed to download additional malicious code, the report noted.

READ
Clop Ransomware Takes Credit for Cleo Data Breaches