The Emergence of Google Ad Malware: Understanding the Threat

Digital advertising is a large space, dominated by Google who draws a majority of their revenue from this one area.  Given the ubiquity of this, it makes sense that malicious actors would leverage the Google advertising platform in different ways, and now it is in the form of ad malware.  In this blog, we will take a closer look at what some of these threat campaigns look like, and how we replicate the network traffic communication and IOCs they produce in the BreakingPoint product.

What is Ad Malware?

Ad malware, also known as malvertising is a form of cyber-attack where malware is delivered through online advertisements. These malicious ads can appear on legitimate websites and can be difficult to detect. When a user clicks on the ad, the malware can eventually infect their system, potentially steal sensitive information, and spread to other systems on the network.  You may have noticed when you perform a search in Google, sometimes the most obvious response might not be the first 1 or 2 delivered links at the top of the page. For example, if you enter a search query for an automotive manufacturer in hopes of getting what you might expect to be their normal retail website, you will most likely be presented with a handful of automotive dealerships based on your location and perhaps even a company that works on or has loose association to that manufacturer but is not even affiliated with the company listed above the actual company website.  In the cases we will be examining below, the malware is presented to the user via a Google ad and does not attempt to mask the attacker-controlled server that hosts the malware.  In these instances, the attackers rely on Google ads to place their malicious link at the top of the page in front of the victim and the victim being unable to recognize the incorrect site.

Case 1 - Rhadamanthys Jan 2023 Campaign

Infection

Our first example is a recent malicious Google ad that advertises a Notepad++ software download. It tries to trick the user into clicking a link to download what appears to be the Notepad++ software, but instead redirects to a site hosting a malicious zip archive of the Rhadamanthys Stealer malware (Fig. 2). As mentioned above, instead of including the correct URI for the notepad++ download page, in Fig 1. you can visibly see the attacker-controlled server above the link including a lure titled “Download Editor for Windows”.

Graphical user interface, text Description automatically generated Fig. 1 – Notepad++ Malicious link

Text Description automatically generated Fig. 2 – Google ad Redirect to Malicious Server

Once the malicious site is rendered in the browser, the victim is presented with a web page that looks like a legitimate Notepad++ download page. However, all the download links are replaced with links to download the hosted Rhadamanthys Stealer malware (Fig. 3 & 4).

Graphical user interface, application Description automatically generated

Fig. 3a – Original Notepad++ Download Page  Fig. 3b - Fake Notepad++ Download Page (no Google ads)

Text Description automatically generated

Fig. 4 – Malicious Notepad++ Download Links

Malware Transfer

The final step of the infection phase happens when the user clicks the download link. In this example, a request is made to malware originally hosted at https://noteepad.hasankahrimanoglu.com.tr/ing.php . After it downloads, the malware (6ce850799a8ad74a440af2d36a0d8966) is stored locally with a name, Nottepaad_lastNeWx32x64.zip, that is intended to again entice the user to execute the archived download.

This malware sample titled ‘Rhadamanthys Stealer’ performs a variety of functions. It runs some anti-analysis checks to try to ensure it’s not being analyzed in a virtualized environment, but its primary function is to steal data from the victim. It targets crypto wallets and collects information from them. It also targets FTP clients, email clients, file and password managers, VPN services, messaging applications, and it sends this data along with screenshots to the attacker’s C&C server.

C2 Communication

The final phase of this campaign occurs after the malicious archive has been executed. First , the malware sends an HTTP request to download a malicious Steganography JPG image (0edf394a9e0e34096dc81d3283ba642d) that includes obfuscated data (Fig. 5). Following that request it sends a similar HTTP GET request to the C2 server at the same URI which gets upgraded to encrypted traffic (Fig. 7).

Text Description automatically generated

Fig. 5 - Rhadamanthys Image Traffic  

A picture containing text, indoor Description automatically generated

Fig. 6 – Rhadamanthys Downloaded Image  

Text Description automatically generated

Fig. 6 – Upgraded C2 Traffic

Case 2 - Google ad for Fake AnyDesk Campaign Feb 2023

Infection

This campaign begins with a Google ad that advertises an AnyDesk software download. It tries to trick the user into clicking a link to download what appears to be the AnyDesk software, but instead redirects to a site hosting a malicious MSI malware download, which has been associated with group TA505 (Fig. 7/8). This campaign is sent encrypted over TLS, however, to better illustrate the network communication, I’ve displayed the output below unencrypted.

A picture containing background pattern Description automatically generated

Fig. 7 – Google ad Redirect to Fake AnyDesk

Text Description automatically generated  

Fig. 8 – Fake AnyDesk Site

Fig. 9 – Download Link Pointing to TA505 MSI Malware

Malware Transfer

Once the user clicks the download link a TLS request is made to retrieve the MSI malware (c4e9e9a06001c6197de2ea2fec3d2214).  Figure 10 represents the unencrypted version of that request.

Graphical user interface, text, application Description automatically generated

Fig. 10 – TA505 MSI Malware

The downloaded MSI installer uses titles like AnydeskSetup to entice the victim to open it.

Once executed, the malware begins its next stage of attack. First a DLL is downloaded to allow the TA505 malware to remain persistent by placing the malware in the same location but randomizing the name and some contents to modify the hash (0993776328ea1684833f09868032549c) (Fig. 11).  This file placement and naming convention information is pertinent to the operation and function of the next DLL that is downloaded.

Graphical user interface, text, application Description automatically generated

Fig. 11 – Persistent DLL Download

After this DLL is executed with rundll32, an additional DLL that is responsible for the C2 communication is downloaded (725a75280bebdba3c150b304bf6cfa42) (Fig. 12).

Graphical user interface, text, application Description automatically generated

Fig. 12 – Final DLL Download

C2 Communication

This final DLL is responsible for the outbound traffic from the host machine to the command-and-control server. The C2 traffic is sent over TCP port 443 but is not encrypted. Some example traffic that gets exfiltrated to the attacker includes the Windows version, computer name, current user, and location and current name of the persistent malware sample that gets stored in C:/ProgramData/ (Fig. 13). This last bit of information ties back to the previous DLL and how it stores and names itself to report back to the attacker.

A screenshot of a computer Description automatically generated with medium confidence

Fig. 13 – C2 System Info and TCP Traffic

Conclusion

Malware can be delivered in numerous ways like via phishing or spam emails, drive by downloads, or as we’ve seen in these latest wave of attacks, Google ad redirects to malicious websites.  In the past couple of months alone we’ve seen many of these ad threat campaigns and expect their numbers to increase in popularity until Google can control them.  The delivered malware payloads are of course decided by the attackers and have ranged from newer malware like Rhadamanthys Stealer to more well-known culprits like IcedID and Cobalt Strike.

The BreakingPoint Application Threat Intelligence Research team’s goal is to arm its customers with the latest threat intelligence which includes newly discovered and highly popular malware attacks and campaigns. For every threat campaign we aim include the entire network communication traffic which might begin with a phishing email or a Google ad redirect and proceed to transfer any additional malware sample files.  For the command-and-control communication, we include default strings that are seen in real world samples and network traffic, but also randomize data at runtime that can or might be changed by the attackers, while still following the signature format observed. For example, in the C2 traffic above the various computer and username info can be randomized as well as the malware name, but the malware storage location and naming convention must follow what is observed by the malicious sample. These features along with the ability to randomize file transport methods and perform a host evasion option for protocols like HTTP, SMB, FTP, etc. are going to ensure your security devices are working as hard as our adversaries.

limit
3