Malvertising via Dynamic Search Ads delivers malware bonanza

Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating one. Today, we look at a different scenario where, as strange as that may sound, malvertising was entirely accidental.

The reason this happened was due to the combination of two separate factors: a compromised website and Google Dynamic Search Ads.

Unbeknownst to the site owner, one of their ads was automatically created to promote a popular program for Python developers, and visible to people doing a Google search for it. Victims who clicked on the ad were taken to a hacked webpage with a link to download the application, which turned out to install over a dozen different pieces of malware instead.

Compromised website promotes software crack

While we identified the compromised ad before the website, we will first describe what happens from the point of view of the site owner to better understand what led to the ad creation in the first place.

This website is for a business that specializes in wedding planning and their portfolio includes testimonials from previous customers sharing their story and experience. Unfortunately, some of those pages have been injected with malware that spams malicious content into them.

In particular, it changes the page’s title and creates an overlay that promotes a serial key for various software programs. For example, the screenshot below shows that overlay advertising a license key for Pycharm, a popular program used by software developers:

662e38c405dccb3bf73095450e274f97d0d067f4ff6ac442c4146295bbd721ab

Malvertising via Dynamic Search Ad

Dynamic Search Ads (DSA) are a type of Google ads that use the content of a website to automate the creation of ads. While this feature is very handy for advertisers, it also comes with the unlikely but potential for abuse. Indeed, if someone is able to modify the website’s content without the owner’s knowledge, automated ads may be entirely misleading.

d0263ca19affe17cbe11cd867270fa05c4736a2ac6768c6bea4108d4b1591ba4Circling back to where our investigation started, this is what we first saw when doing a Google search for ‘pycharm’. The ad’s headline is showing “JetBrains PyCharm Professional” while the content snippet has gathered a bunch of keywords related to the wedding business. Obviously, there is a discrepancy here between what the ad’s title promotes (a program for developers) and the ad’s description (wedding planning).

66e1f4156e470192505ed3517bbc13ecccecac12c2e96782291227cfc096344a

What happened here is Google Ads dynamically generated this ad from the hacked page, which makes the website owner an unintentional intermediary and victim paying for their own malicious ad.

Fake serial leads to malware bonanza

People searching for PyCharm may not take the time to read the ad’s description, but instead will simply click on the headline. From there, they will be redirected to the compromised page showing the overlay with the link to download the serial key. While not everyone will proceed at this point, those who do will have an experience they aren’t likely to forget:

6580a79ca3219c6f45a3fcb24b994645c4673055dd89a6c692ae1e58f0ae8271

Running this installer will result in a deluge of malware infections the like we have only seen on rare occasions, rendering the computer completely unusable:

b8ba6f81ae67e620765a8e9e28b7411711ff132da15ba43e4aec587d763b94e4

Sometimes, an unexperienced criminal may want to monetize as many software loads as possible in order to earn a commission on each. Clearly this is not an elegant attack as the victim will be aware their computer has been loaded with unwanted programs.

Whatever the case may be, downloading cracks or serial keys is akin to walking across a mine field, and you typically only do it once.

Summary

This incident is not your typical malvertising case and in fact, it’s unlikely that whoever hacked that website was even aware of this happening. Compromised sites can be monetized in many different ways and usually threat actors expect traffic to come from organic search results, not ads.

From an ad quality point of view, this would be difficult to detect in the sense that the ad has been paid for by a legitimate business and takes users to the correct destination. There is no malicious redirect to a fake domain that attempts to deceive users like we have seen before.

Google may be able to detect that the website has been compromised because it contains spam injections. If that is the case, Dynamic Search Ads may inadvertently promote malicious content.

We recommend users to practice safe browsing and always be cautious with sponsored content. Downloading cracked software has never been a good idea, but if you do, always make sure it is clean before you run it.

We have informed the wedding planner business that their website is currently compromised and leading to malicious content.

Malwarebytes already detected all the payloads with its anti-malware and heuristic engines:

3f70b0092271f38f68219465c492b783687d7350e251c02fadd6cef3447dd95c

Indicators of Compromise

Download URL for fake serial:

eplangocview[.]com/wp-download/File.7z

Subsequent malware download URLs:

roberthamilton[.]top/timeSync[.]exe
109[.]107[.]182[.]2/race/bus50[.]exe
171[.]22[.]28[.]226/download/Services[.]exe
experiment[.]pw/setup294[.]exe
medfioytrkdkcodlskeej[.]net/987123[.]exe
171[.]22[.]28[.]226/download/WWW14_64[.]exe
185[.]172[.]128[.]69/newumma[.]exe
194[.]169[.]175[.]233/setup[.]exe
171[.]22[.]28[.]221/files/Ads[.]exe
171[.]22[.]28[.]213/3[.]exe
lakuiksong[.]known[.]co[.]ke/netTimer[.]exe
stim[.]graspalace[.]com/order/tuc19[.]exe
neuralshit[.]net/1298d7c8d865df39937f1b0eb46c0e3f/7725eaa6592c80f8124e769b4e8a07f7[.]exe
pic[.]himanfast[.]com/order/tuc15[.]exe
85[.]217[.]144[.]143/files/My2[.]exe
galandskiyher5[.]com/downloads/toolspub1[.]exe
gobr1on[.]top/build[.]exe
flyawayaero[.]net/baf14778c246e15550645e30ba78ce1c[.]exe
632432[.]space/385118/setup[.]exe
yip[.]su/RNWPd[.]exe
potatogoose[.]com/1298d7c8d865df39937f1b0eb46c0e3f/baf14778c246e15550645e30ba78ce1c[.]exe
185[.]216[.]71[.]26/download/k/KL[.]exe
walkinglate[.]com/watchdog/watchdog[.]exe
walkinglate[.]com/uninstall[.]exe

Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

 To keep up to date follow us on the below channels.