Hackers use Google search ads to deliver info-stealing malware

Hackers are setting up fake websites for popular free and open-source software to promote malicious downloads through advertisements in Google search results.

At least one prominent user on the cryptocurrency scene has fallen victim to the campaign, claiming it allowed hacker hackers steal all their digital crypto assets along with control over their professional and personal accounts.

Over the weekend, crypto influencer Alex, better known by their online persona NFT God, was hacked after launching a fake executable for the Open Broadcaster Software (OBS) video recording and live streaming software they had downloaded from a Google ad in search results.

Google search ad for malicious OBS Studio download
Google search ad for malicious OBS Studio download
source: Will Dormann

“Nothing happened when I clicked the EXE,” Alex wrote in a Twitter thread recounting their experience over the weekend. However, a few hours later friends alerted them that their Twitter account had been hacked.

Unbeknownst to Alex, this was likely an information-stealing malware that stole their saved browser passwords, cookies, Discord tokens, and cryptocurrency wallets and sent them to a remote attacker.

Soon, Alex found that their account at the OpenSea NFT marketplace had also been compromised and a different wallet was listed as the owner of one of their digital assets.

“I knew at that moment it was all gone. Everything. All my crypto and NFTs ripped from me,” NFT God says in the thread.

Soon, Alex discovered that their Substack, Gmail, Discord, and cryptocurrency wallets suffered the same fate and were controlled by the hackers.

Crypto influencer had their online accounts hacked after downloading fake OBS Studio via Google search ads
Crypto influencer NFT God's online accounts hacked
source: NFT God

While this is not a new stratagem, threat actors appear to use it more often. In October last year, BleepingComputer reported on a massive campaign that relied on more than 200 typosquatting domains for over two dozen brands to mislead users.

The distribution method was unknown at the time but separate reports in December from cybersecurity companies Trend Micro and Guardio revealed that hackers were abusing the Google Ads platform to push malicious downloads in search results.

Flurry of malicious ads in Google search results

Following NFT God’s thread, BleepingComputer conducted its own research and uncovered that OBS is one in a long list of software that threat actors impersonate to push malicious downloads in Google Ads search results.

One example we found is a Google Ad search result for Rufus, a free utility for creating bootable USB flash drives.

The threat actor registered domains that resemble the official one and copied the main part of the legitimate site up to the download section.

In one case, they used the generic top-level domain “pro,” likely in an attempt to pique victim interest and attract with the promise of a wider set of program features.

Ads in Google Search for malicious Rufus download
Malicious Rufus download pushed via ads in Google search results
source: BleepingComputer

To note, there is no advanced variant of Rufus. There is only one edition available as an installable or portable variant hosted on GitHub.

For the malicious version, the download goes to a file transfer service. Because it is an archive bomb, many antivirus engines do not detect it as a threat.

Another popular program impersonated is the text and source code editor Notepad++. The threat actor used typosquatting to create a domain similar to the legitimate one from the official developer.

Malicious Notepad++ download pushed via ads in Google search results
Ad in Google Search for malicious Notepad++ download
source: BleepingComputer

Security researcher Will Dormann found that fake Notepad++ downloads in the sponsored section of Google search were available from additional URLs, all files being marked as malicious by various antivirus (AV) engines on the Virus Total scanning platform.

Malicious Notepad++ ad in Google search results
Malicious Notepad++ ad in Google search results
source: Will Dormann

BleepingComputer also found a website filled with fake software downloads distributed solely via Google Ads search results. The website impersonates what appears to be a legitimate web design company in India called Zensoft Tech.

Unfortunately, we could not verify if the downloads were malicious but given that the domain is a typosquatted URL, the site blocks search engines from indexing content and promoting the downloads only through ads in search results, there is a strong indication of malicious activity.

Among the pieces of software we discovered on the website are the file compression utilities 7-ZIP and WinRAR, and the widely used media player VLC.

Malicious downloads for WinRAR, 7-ZIP, VLC in sponsored ads on Google search
Malicious downloads for WinRAR, 7-ZIP, VLC in sponsored ads on Google search
source: BleepingComputer

From a different domain, threat actors provided a malicious version of the CCleaner utility for removing potentially unwanted files and invalid Windows Registry entries.

It appears that the hackers made an effort to outbid the legitimate developer and thus have their ad in the top position. As seen in the image below, the official CCleaner website is displayed under the malicious advertisement. This site offered a CCleaner.zip file that installed Redline information-stealing malware.

CCleaner malicious download pushed via ads in Google search results
CCleaner malicious download pushed via Google ads
source: BleepingComputer

Several security researchers (mdmck10MalwareHunterTeamWill DormannGermán Fernández) have uncovered additional URLs hosting malicious downloads impersonating free and open-source software, confirming that luring users through sponsored results on Google search is a more common approach for cybercriminals.

Germán Fernández of cybersecurity company CronUp provides a list of 70 domains that are distributing malware through Google Ads search results by impersonating legitimate software.

The websites are replicas of the official ones and either provide fake software or redirect to another download location. Many of them offer Audacity and some are for VLC and the image editor GIMP.

One user almost fell for the trick when looking to get the Blender 3D open-source 3D creation suite. A tweet from MalwareHunterTeam shows that three malicious ads for this product preceded the link from the official developer.

Google search results show ads for malicious Blender 3D download
Malicious Blender 3D downloads take top ad spot in Google search results
source: Nox Scimitar

Looking at one of the samples flagged as malicious by some AV products, security researcher Will Dormann noticed that it had an invalid signature from cybersecurity company Bitdefender.

Although BleepingComputer could not check in all cases the malware delivered this way, in some instances the payload was the RedLine Stealer we saw in the fake CCleaner site.

This malware collects sensitive data from browsers (credentials, credit card, autocomplete info), details about the system (username, location, hardware, security software available), and cryptocurrency.

Fernández found that one threat actor distributed the .NET-based remote access trojan SectoRAT, also known as Arechclient2, via fake downloads for the Audacity digital audio editor.

The researcher also came across the Vidar info-stealer delivered via malicious downloads for Blender 3D advertised in Google Search. Vidar is focused on collecting sensitive info from browsers and can also steal cryptocurrency wallets.

After publishing this article, researchers at HP Wolf Security released a report about similar campaigns, noting that the first one they analyzed dated from November 2022.

Some of the malware they saw delivered through fake software malvertising includes the IcedID trojan, Vidar, Rhadamanthys Stealer and BatLoader.

At the moment, BleepingComputer and multiple security researchers have seen malicious ads in Google search results for the following software:

  • 7-Zip
  • Blender 3D
  • Capcut
  • CCleaner
  • Notepad++
  • OBS
  • Rufus
  • VirtualBox
  • VLC Media Player
  • WinRAR
  • Putty

BleepingComputer has shared some of these findings with Google and a company representative told us that the platform’s policies are designed and enforced to prevent brand impersonation.

"We have robust policies prohibiting ads that attempt to circumvent our enforcement by disguising the advertiser’s identity and impersonating other brands, and we enforce them vigorously. We reviewed the ads in question and have removed them" - Google

At the time of writing this article, Google said it would check if additional advertisements and sites reported violated their policies and would take appropriate action if needed. The company has completed this process and removed the reported malicious ads.

Ad-blockers could increase protection

Using sponsored ads in search results as a malware delivery channel has been flagged by the FBI in an alert last year before Christmas.

The agency warned that “these advertisements appear at the very top of search results with minimum distinction between an advertisement and an actual search result” and they link to a website that “looks identical to the impersonated business’s official webpage.”

Because of this, cybercriminals have a better chance of spreading their malware to a larger pool of unsuspecting users.

Checking the URL of a download source is always good advice. Coupled with the use of an ad-blocker, the level of protection against this type of threat should decrease drastically.

Ad-blockers are available as extensions in most web browsers and, as their name says, they stop advertisements from being loaded and displayed on a web page, including search results.

Apart from adding to more comfortable use of the internet, ad-blockers also step up privacy by preventing tracking cookies in advertisements from collecting data about your browsing habits.

In this case, however, such extensions could make the difference between losing access to your sensitive information or online accounts and getting digital resources from legitimate vendors.

Update [January 18, 2023]: Article updated to reflect that Google reviewed additional malicious ads reported and removed them after publishing this article. Initially, the company received only a smaller set of malicious ads and removed them from the platform.

Added new details from HP Wolf Security research finding other malware delivered through fake software advertising campaigns since November 2022.

Related Articles:

Microsoft again bothers Chrome users with Bing popup ads in Windows

Google fixes Chrome zero-days exploited at Pwn2Own 2024

Free VPN apps on Google Play turned Android phones into proxies

Google: Spyware vendors behind 50% of zero-days exploited in 2023

Hackers poison source code from largest Discord bot platform