A campaign is spreading malware disguised as legitimate installers for popular workplace collaboration apps by exploiting a traffic-tracking feature.
Once again, attackers are misusing Google Ads to target individuals with malware designed to steal information. This time, they're using an ad-tracking feature to entice corporate users with fake ads promoting well-known collaboration tools like Slack and Notion.
Researchers uncovered a malicious campaign that takes advantage of a statistical feature to include URLs leading to malware distribution, including the Rhadamanthys steamer. AhnLab Security Intelligence Center (ASEC) shared their findings in a blog post this week. The feature allows advertisers to add external analytic website links into ads to gather and utilise visitors' access data for ad traffic analysis.
However, instead of using legitimate statistics sites, attackers are exploiting this feature to insert links to sites distributing harmful code, as revealed by the researchers.
Although ads associated with the campaign have been removed, they were previously active. Clicking on these banners would direct unsuspecting users to a website where they might unknowingly download a malicious file.
In this campaign, Rhadamanthys is disguised as an installer for commonly used groupware, which is often relied upon by corporate teams for collaborating in the workplace. Once the malware is installed and activated, it fetches harmful files and payloads from the attacker's server.
Beware of Redirects to Malware Downloads
Attackers designed the campaign to display banner ads with hidden tracking URLs, leading users to a URL controlled by the attackers. This landing page mimics the appearance of legitimate groupware websites like Slack or Notion, tricking visitors into downloading and running the malware disguised as an installer.
The campaign primarily uses installers like Inno Setup or Nullsoft Scriptable Install System (NSIS). Specific executable files used include Notion_software_x64_.exe, Slack_software_x64_.exe, Trello_software_x64_.exe, and GoodNotes_software_x64_32.exe.
"After execution, the malware uses websites like textbin or tinyurl to access malicious payload addresses" stated ASEC in a blog post, which details the URLs attackers employed to fetch these addresses for delivery to users.
The main payload of the campaign is the Rhadamanthys stealer, which infiltrates legitimate Windows files via the "%system32%" path. This enables the stealer to secretly gather users' private data, as highlighted by the researchers.
Rhadamanthys is a favoured tool among attackers and can be bought on the Dark Web under a malware-as-a-service model. It functions like a typical stealer, gathering system information such as computer name, username, OS version, and other details. It also scans browser directories of installed browsers like Brave, Edge, Chrome, Firefox, and Opera Software to steal browsing history, bookmarks, cookies, login details, and more.
Stay Alert: Be Mindful of Ad-Delivered URLs
This campaign isn't the first time attackers have misused Google Ads and its features to spread Rhadamanthys and other malware. Back in January 2023, a similar campaign used website redirects from Google Ads and fake download offers for popular remote-work software like Zoom and AnyDesk to distribute Rhadamanthys.
Attackers have even taken advantage of the "dynamic search ads" feature of the service to boost the impact of malicious campaigns, creating targeted ads to unleash a flood of malware.
Because all search engines that track to measure ad traffic can be used to distribute malware, users need to stay cautious when clicking on links from Google ads. Specifically, they should "pay attention to the URL seen when visiting the website, not just the one shown in the ad banner" to avoid falling victim to a malicious campaign.
Additionally, ASEC shared a detailed list of URLs related to different stages of the campaign to help administrators identify whether any corporate users have been affected by it.
