恶意Google广告攻击：WinSCP用户陷阱

Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead.

威胁行为者正在利用操纵的搜索结果和虚假的谷歌广告，欺骗寻找下载合法软件（如WinSCP）的用户，使其安装恶意软件。

Cybersecurity company Securonix is tracking the ongoing activity under the name SEO#LURKER.

网络安全公司Securonix正在追踪以SEO#LURKER命名的持续活动。

"The malicious advertisement directs the user to a compromised WordPress website gameeweb[.]com, which redirects the user to an attacker-controlled phishing site," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.

“恶意广告将用户引导至受损的WordPress网站gameeweb[.]com，该网站将用户重定向到攻击者控制的钓鱼站点”，安全研究人员Den Iuzvyk、Tim Peck和Oleg Kolesnikov在与The Hacker News分享的一份报告中表示。

The threat actors are believed to leverage Google's Dynamic Search Ads (DSAs), which automatically generates ads based on a site's content to serve the malicious ads that take the victims to the infected site.

威胁行为者被认为利用谷歌的动态搜索广告（DSAs），该广告根据站点内容自动生成广告，为提供恶意广告服务，将受害者带到受感染的站点。

The ultimate goal of the complex multi-stage attack chain is to entice users into clicking on the fake, lookalike WinSCP website, winccp[.]net, and download the malware.

复杂的多阶段攻击链的最终目标是引诱用户点击假冒的、外观类似的WinSCP网站winccp[.]net，并下载恶意软件。

"Traffic from the gaweeweb[.]com website to the fake winsccp[.]net website relies on a correct referrer header being set properly," the researchers said. "If the referrer is incorrect, the user is 'Rickrolled' and is sent to the infamous Rick Astley YouTube video."

“从gaweeweb[.]com网站到假的winsccp[.]net网站的流量取决于正确设置引用标头”，研究人员表示。“如果引用不正确，用户将被'Rickrolled'，并被发送到臭名昭著的Rick Astley YouTube视频。”

The final payload takes the form of a ZIP file ("WinSCP_v.6.1.zip") that comes with a setup executable, which, when launched, employs DLL side-loading to load and execute a DLL file named python311.dll that's present within the archive.

最终载荷采用ZIP文件（"WinSCP_v.6.1.zip"）的形式，带有一个设置可执行文件，当启动时，利用DLL side-loading加载和执行存档中存在的名为python311.dll的DLL文件。

The DLL, for its part, downloads and executes a legitimate WinSCP installer to keep up the ruse, while stealthily dropping Python scripts ("slv.py" and "wo15.py") in the background to activate the malicious behavior. It's also responsible for setting up persistence.

就其本身而言，该DLL下载并执行合法的WinSCP安装程序以保持欺骗，同时在后台悄悄地放置Python脚本（"slv.py"和"wo15.py"）以激活恶意行为。它还负责设置持久性。

Both the Python scripts are designed to establish contact with a remote actor-controlled server to receive further instructions that allow the attackers to run enumeration commands on the host.

这两个Python脚本都设计用于与远程操控的服务器建立联系，以接收进一步的指令，使攻击者能够在主机上运行枚举命令。

"Given the fact that the attackers were leveraging Google Ads to disperse malware, it can be believed that the targets are limited to anyone seeking WinSCP software," the researchers said.

“考虑到攻击者利用谷歌广告传播恶意软件，可以认为目标仅限于寻找WinSCP软件的用户。”

"The geoblocking used on the site hosting the malware suggests that those in the U.S. are victims of this attack."

“在托管恶意软件的站点上使用的地理阻止技术表明美国的用户是这次攻击的受害者。”

This is not the first time Google's Dynamic Search Ads have been abused to distribute malware. Late last month, Malwarebytes lifted the lid on a campaign that targets users searching for PyCharm with links to a hacked website hosting a rogue installer that paves the way for the deployment of information-stealing malware.

这不是谷歌的动态搜索广告首次被滥用以传播恶意软件。上个月晚些时候，Malwarebytes 揭开了盖子，揭示了一个以PyCharm为目标的活动，通过链接到托管恶意软件的黑客网站，提供了铺平道路以部署窃取信息恶意软件的流行活动。

Malvertising has grown in popularity among cybercriminals in the past few years, with numerous malware campaigns using the tactic for attacks in recent months.

恶意广告在过去几年中在受欢迎度上逐渐增加，许多恶意软件活动在近几个月内使用这种策略进行攻击。

Earlier this week, Malwarebytes revealed an uptick in credit card skimming campaigns in October 2023 that's estimated to have compromised hundreds of e-commerce websites with an aim to steal financial information by injecting convincing counterfeit payment pages.

本周早些时候，Malwarebytes 揭示了2023年10月信用卡盗刷活动的增加，据估计已经侵害了数百个电子商务网站，旨在通过注入令人信服的伪造付款页面窃取金融信息。

原文始发于微信公众号（知机安全）：恶意Google广告攻击：WinSCP用户陷阱