Threat actors use manipulated search results and fake Google ads to trick users who intend to download legitimate software such as WinSCP into installing malware.
Cybersecurity company Securonix tracks ongoing activity under the name SEO#LURKER.
“The malicious advertisement directs the user to a compromised WordPress website gameeweb(.)com, which redirects the user to a phishing site controlled by the attacker,” security researchers Den Iuzvyk , Tim Peck, and Oleg Kolesnikov SAYS in a report shared by The Hacker News.
Threat actors are believed to use Google’s Dynamic Search Ads (DSAs), which automatically generates ads based on the content of a site to serve malicious ads that drive victims to the infected site.
The ultimate goal of the complex multi-stage attack chain is to entice users to click on the fake, WinSCP website, winccp(.)net, and download the malware.
“Traffic from the gaweeweb(.)com website to the fake winsccp(.)net website relies on the correct referrer header being set correctly,” the researchers said. “If the referrer is incorrect, the user is ‘Rickrolled‘ and sent in the famous Rick Astley video on YouTube.
The final payload takes the form of a ZIP file (“WinSCP_v.6.1.zip”) containing a setup executable, which, when launched, uses DLL side-loading to load and execute a DLL file named python311.dll that is inside the archive.
The DLL, for its part, downloads and executes a legitimate WinSCP installer to maintain the trick, while surreptitiously dropping Python scripts (“slv.py” and “wo15.py”) in the background to activate the harmful behavior. It is also responsible for setting up continuity.
The two Python scripts are designed to establish contact with a remote actor-controlled server to receive additional instructions that allow attackers to run enumeration commands on the host.
“Due to the fact that the attackers are using Google Ads to spread the malware, it can be assumed that the targets are limited to anyone looking for the WinSCP software,” the researchers said.
“The geoblocking used by the site hosting the malware suggests that those in the US are victims of this attack.”
This is not the first time that Google’s Dynamic Search Ads have been abused to distribute malware. Last month, Malwarebytes lifted the lid on a campaign targeting users searching for PyCharm with links to a hacked website hosting a rogue installer that paved the way for deploy malware that steals information.
Malvertising has it’s big in popularity among cybercriminals in the past few years, with several malware campaigns using the tactic for attacks in recent months.
Earlier this week, Malwarebytes Revelation an increase in credit card skimming campaigns in October 2023 estimated to have compromised hundreds of e-commerce websites with the aim of stealing financial information by injecting convincing fake payment pages .