A malicious actor has been exploiting Google Ads as a vector for disseminating a tampered version of the CPU-Z tool, serving as a conduit for delivering the Redline info-stealing malware.
Malwarebytes analysts recently detected this new campaign and, upon scrutinising the supporting infrastructure, concluded that it is linked to the same operation that previously leveraged Notepad++ malvertising to deploy malicious payloads.
Details of the Campaign
The deceptive Google ad promoting the trojanised version of CPU-Z, a tool designed for profiling computer hardware on Windows, is hosted on a duplicated version of the authentic Windows news site, WindowsReport.
CPU-Z stands out as a widely used free utility, offering users the capability to monitor various hardware components, encompassing fan speeds, CPU clock rates, voltage, and cache details.
Upon clicking the ad, the victim is led through a redirect process designed to deceive Google's anti-abuse crawlers. This tactic involves directing invalid visitors to a seemingly harmless site.
Those identified as eligible to receive the payload are redirected to a counterfeit Windows news site hosted on one of the subsequent domains:
argenferia[.]com
realvnc[.]pro
corporatecomf[.]online
cilrix-corp[.]pro
thecoopmodel[.]com
winscp-apps[.]online
wireshark-app[.]online
cilrix-corporate[.]online
workspace-app[.]online
The utilization of a replica of a credible site serves to introduce an additional layer of trust into the infection process. Users, accustomed to tech news sites featuring download links for valuable utilities, are more likely to be lured by this deceptive tactic.
Upon clicking the 'Download now' button, users are met with a digitally-signed CPU-Z installer (MSI file) that harbors a nefarious PowerShell script recognized as the 'FakeBat' malware loader.
The use of a legitimate certificate to sign the file reduces the likelihood of Windows security tools or third-party antivirus products on the device triggering a warning for the user.
Subsequently, the loader retrieves a Redline Stealer payload from a remote URL and initiates its execution on the victim's computer.
Redline, a formidable data stealer, possesses the capability to gather passwords, cookies, and browsing data from various web browsers and applications. Additionally, it can extract sensitive information from cryptocurrency wallets.
To reduce the risk of malware infections while searching for specific software tools, users are advised to exercise caution when clicking on promoted results in Google Search. It is crucial to verify whether the loaded site matches the associated domain. Alternatively, employing an ad-blocker that automatically conceals such elements can enhance online security.
An update
A spokesperson from Google provided the following statement to address the malvertising campaign facilitated by Google Ads:
Ads featuring malicious software are not permitted on our platform. The ads that violated our policies have been promptly removed, and necessary actions have been taken against the associated accounts.
The landscape of bad actors is evolving, employing sophisticated tactics on a larger scale to evade our detection measures.
We are committed to robust safety measures for our ads and maintain a dedicated team working tirelessly to enforce our policies on a broad scale.
