Large scale Google Ads campaign targets utility software

After what seemed like a long hiatus, we’ve observed threat actors returning to malvertising to drop malware disguised as software downloads. The campaign we identified is high-impact, going after utility software such as Slack, Notion, Calendly, Odoo, Basecamp, and others. For this blog, we decided to focus on the Mac version of communication tool Slack.

Following the creation of advertiser identities belonging to real businesses, the threat actors launch their malicious ads, hiding their infrastructure behind several layers of fingerprinting and cloaking.

We have reported these incidents to Google and the related advertisers have been banned. However, we are still finding new malicious ads and hearing from others seeing the same, indicating that this campaign is not over yet.

Wanted: Utility software

The threat actor is abusing various platforms to host their payloads, giving insights into what they are choosing to lure in victims. For Windows users, all payloads were found in various GitHub accounts which we have reported already.

For Mac, we saw payloads originating from the same domain via PHP scripts using identifiers. These appear to be created for individual and perhaps time-based downloads. Other links that include the name of the software (i.e. clockify_mac.php) work regardless.

creativekt[.]com/macdownloads/script_6703ea1fc058e8.92130856.php
creativekt[.]com/macdownloads/script_66ffc3cf465a45.36592714.php
creativekt[.]com/macdownloads/clockify_mac.php
creativekt[.]com/macdownloads/script_66e6ba358cd842.42527539.php

Impersonating two identities at once

When we searched for Slack from the US, the top Google result was an ad that looked completely trustworthy. It had the brand’s logo, official website and even detailed description.

If you follow this blog, you probably know there is more to it. By clicking on the three dots next to the ad, you can see more information about the advertiser, which in this case is a law firm.

Note: We understand that most users will not—for lack of time, interest or knowledge—take this step, which is why we offer solutions such as Malwarebytes Browser Guard that automatically blocks ads.

The “My Ad Center” vignette shows that the advertiser was not verified yet, but we were able to access their profile and see their collection of ads. There were four ads in total, and three of them were related to lawyer services using the name and address of a real company in the US.

The Slack ad was somewhat the odd one sticking out but could, in theory, have been promoted by this advertiser. What we believe is the problem with Google ads is how any advertiser can still use the branding of a major company as if they were them. From the point of view of internet users, this is extremely deceiving and provides no rail guard against abuse.

After we validated the ad ourselves and saw where it redirected to (a malicious site), we reported it to Google. Very shortly thereafter, Google took action and removed not just the ad, but the advertiser.

However, a couple of days later a new ad appeared, once again using a stolen identity this time from a women’s health company.

Decoy site and payload

As we have seen before, the malicious ad starts a redirection chain made of various click trackers, cloaking and a decoy site. This allows victim profiling, but more importantly it is used to avoid automated detection in order to keep the ad up and running as long as possible.

Victims eventually land on a decoy sites, similar to those used for phishing credentials, except here the end goal is to trick users into downloading malware.

Windows users get their respective payload hosted on GitHub. The binaries have been inflated into large files to hinder sandbox analysis and are likely Rhadamathys infostealer.

For Apple users, the installers are also an infostealer, branched out of the AMOS (Atomic Stealer) family. Passwords and other secrets found on a system within the file system, browsers, extensions and apps are grabbed and uploaded as a zip archive onto a remote server located in Russia:

Conclusion

When we investigate ads, we use a simple yet realistic setup that mimics what most users would have. This is not an automated process, which sometimes requires multiple attempts from different geographic locations and browser profiles. While this work can be tedious and time consuming, we believe it is necessary in order to identify threat actors at the source, therefore providing protection to the Malwarebytes customer base, but also anyone else that uses the Google search engine.

Slack is not the only brand that threat actors like to impersonate. In fact, we also saw and reported malicious ads for the productivity suite Notion. We noticed that it also shared the same payload hosting infrastructure, indicating that the two campaigns were related.

If you are still clicking on ads to download software, you take a risk by allowing fraudulent advertisers to redirect you to malicious sites. Inadvertently installing malware and getting your identity stolen has never been easier.

We recommend paying special attention to sponsored results or adopting a tool such as Malwarebytes Browser Guard. For our Mac users, we detect this threat as OSX.Poseidon.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Indicators of Compromise

Malicious hostnames

creativekt[.]com
slack[.]designexplorerapp[.]net
odoo[.]studioplatformapp[.]net
notion[.]foreducationapp[.]com
slack[.]workmeetingsapp[.]com
clockify[.]turnrevenue[.]com
slack[.]aerodrame[.]finance

GitHub repositories

github[.]com/09shubin/asdjh23/releases/download/nhehhh34/
github[.]com/fewefwfewfew/dwqfqwe/releases/download/fecfewwefewf3/

Payloads (Windows)

9c8dadbb45f63fb07fd0a6b6c36c7aa37621bbadc1bcc41823c5aad1b0d3e93e
2b587ca6eb1af162951ade0e214b856f558cc859ae1a8674646f853661704211
e3557fb78e8fca926cdb16db081960efc78945435b2233fbd80675c21f0bc2e2
637b3ac5b315fd77b582dff2b55a65605f2782a717bed5aa6ef3c9722e926955
79017a6a96b19989bcf06d3ceaa42fd124a0a3d7c7fca64af9478e08e6c67c72
6eb1e3abf8a94951a661513bee49ffdbecfc8f7f225de83fa9417073814d4601
de7b5e6c7b3cee30b31a05cc4025d0e40a14d5927d8c6c84b6d0853aea097733
77615ea76aedf283b0e69a0d5830035330692523b505c199e0b408bcccd147b7

Payloads (Mac)

b55f2cb39914d84a4aa5de2f770f1eac3151ca19615b99bda5a4e1f8418221c2
9dc9c06c73d1a69d746662698ac8d8f4669cde4b3af73562cf145e6c23f0ebdd

Command and control servers

85.209.11[.]155
193.3.19[.]251

ABOUT THE AUTHOR

Jérôme Segura

Sr Director, Research