Details have emerged about a malvertising campaign that leverages Google Ads to direct users searching for popular software to fictitious landing pages and distribute next-stage payloads.
有关一场利用Google广告将搜索热门软件的用户引导至虚构着陆页并分发下一阶段恶意载荷的恶意广告活动的详细信息已经浮出水面。
Malwarebytes, which discovered the activity, said it's "unique in its way to fingerprint users and distribute time sensitive payloads."
发现这一活动的Malwarebytes称其在指纹识别用户和分发时间敏感载荷方面“独具特色”。
The attack singles out users searching for Notepad++ and PDF converters to serve bogus ads on the Google search results page that, when clicked, filters out bots and other unintended IP addresses by showing a decoy site.
该攻击针对搜索Notepad++和PDF转换器的用户,在Google搜索结果页面上提供虚假广告,当用户点击时,通过显示一个假网站来过滤掉机器人和其他意外的IP地址。
Should the visitor be deemed of interest to the threat actor, the victim is redirected to a replica website advertising the software, while silently fingerprinting the system to determine if the request is originating from a virtual machine.
如果访问者被认为对威胁行为者有兴趣,受害者将被重定向到一个宣传软件的复制网站,同时悄悄地对系统进行指纹识别,以确定请求是否来自虚拟机。
Users who fail the check are taken to the legitimate Notepad++ website, while a potential target is assigned a unique ID for "tracking purposes but also to make each download unique and time sensitive."
未通过检查的用户将被带到合法的Notepad++网站,而潜在目标将被分配一个用于“跟踪目的但也使每个下载都变得独特且时间敏感”的唯一ID。
The final-stage malware is an HTA payload that establishes a connection to a remote domain ("mybigeye[.]icu") on a custom port and serves follow-on malware.
最终阶段的恶意软件是一个HTA载荷,它建立与远程域的连接("mybigeye[.]icu")并提供后续恶意软件。
"Threat actors are successfully applying evasion techniques that bypass ad verification checks and allow them to target certain types of victims," Jérôme Segura, director of threat intelligence, said.
“威胁行为者成功应用了绕过广告验证检查的规避技术,使他们能够针对特定类型的受害者。”威胁情报主管Jérôme Segura表示。
"With a reliable malware delivery chain in hand, malicious actors can focus on improving their decoy pages and craft custom malware payloads."
“拥有可靠的恶意软件传递链后,恶意行为者可以专注于改进他们的欺骗页面并制作定制的恶意软件载荷。”
此披露与一项类似的活动重叠,该活动以恶意广告针对搜索KeePass密码管理器的用户,将受害者引导到使用Punycode(keepass[.]info与ķeepass[.]info)的域,Punycode是一种将Unicode字符转换为ASCII的特殊编码。
"People who click on the ad will be redirected via a cloaking service that is meant to filter sandboxes, bots and anyone not deemed to be a genuine victim," Segura noted. "The threat actors have set up a temporary domain at keepasstacking[.]site that performs the conditional redirect to the final destination."
“点击广告的人将通过旨在过滤沙箱、机器人和未被视为真正受害者的任何人的伪装服务进行重定向,”Segura指出。“威胁行为者在keepasstacking[.]site上设置了一个临时域,用于执行条件重定向到最终目的地。”
Users who land on the decoy site are tricked into downloading a malicious installer that ultimately leads to the execution of FakeBat (aka EugenLoader), a loader engineered to download other malicious code.
登陆欺诈网站的用户会被欺骗下载恶意安装程序,最终导致执行FakeBat(又名EugenLoader)的恶意代码下载器,这是一种用于下载其他恶意代码的下载器。
The abuse of Punycode is not entirely novel, but combining it with rogue Google Ads is a sign that malvertising via search engines is getting more sophisticated. By employing Punycode to register similar domain names as a legitimate site, the goal is to pull off a homograph attack and lure victims into installing malware.
Punycode的滥用并不是全新的,但与Google广告的联合使用表明通过搜索引擎进行恶意广告活动变得更加复杂。通过使用Punycode注册与合法站点相似的域名,其目标是执行形似攻击,并引诱受害者安装恶意软件。
"While Punycode with internationalized domain names has been used for years by threat actors to phish victims, it shows how effective it remains in the context of brand impersonation via malvertising," Segura said.
“虽然多年来威胁行为者一直使用国际化域名的Punycode来钓鱼受害者,但它显示出在通过恶意广告进行品牌模仿的背景下,它仍然有效。”Segura表示。
Speaking of visual trickery, multiple threat actors – TA569 (aka SocGholish), RogueRaticate (FakeSG), ZPHP (SmartApeSG), ClearFake, and EtherHiding – have been observed taking advantage of themes related to fake browser updates to propagate Cobalt Strike, loaders, stealers, and remote access trojans, a sign that these attacks are a constant, evolving threat.
谈到视觉欺诈,多个威胁行为者,包括TA569(又名SocGholish)、RogueRaticate(FakeSG)、ZPHP(SmartApeSG)、ClearFake和EtherHiding,已被观察到利用与假浏览器更新相关的主题来传播Cobalt Strike、下载器、窃取者和远程访问木马,这表明这些攻击是一个不断发展的威胁。
"Fake browser updates abuse end user trust with compromised websites and a lure customized to the user's browser to legitimize the update and fool users into clicking," Proofpoint researcher Dusty Miller said in an analysis published this week.
“假浏览器更新滥用最终用户的信任,通过对用户的浏览器定制欺骗来合法化更新,并欺骗用户点击。”Proofpoint研究员Dusty Miller在本周发表的一篇分析中表示。
"The threat is only in the browser and can be initiated by a click from a legitimate and expected email, social media site, search engine query, or even just navigating to the compromised site."
“这一威胁仅存在于浏览器中,可以通过从合法和预期的电子邮件、社交媒体网站、搜索引擎查询甚至只是浏览受损网站的单击来启动。”
原文始发于微信公众号(知机安全):恶意广告活动:针对软件搜索的新威胁
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论