Black SEO Offerings Gaining Momentum in Underground ForumsMalvertising Campaigns Trick Users Searching for AI-Related Tools Such as ChatGPT
Cybercriminals are leveraging Google's paid advertisement service to push malicious sites on top search results in order to trick victims into downloading malware such as IcedID and Gozi Trojan.
Researchers at Sophos identified multiple campaigns using malvertising to lure unsuspecting users into downloading malware.
"When a user searches for a related term and clicks through to the malicious site, the attackers check the Referer header to confirm the user came via the search engine, and then entice them into downloading malware disguised as a legitimate software application," the researchers said.
Christopher Budd, director of threat research at Sophos, told Information Security Media Group that there has been a resurgence in the use of malvertising in a wide variety of campaigns and advertisements for this type of service on underground forums.
"We believe it could be attackers working around changes Microsoft made last year to protect against malicious macros. The growth of cybercrime as a service could also explain the growing availability and use of malvertising by threat actors," Budd said.
Malvertising has many advantages, said Budd. Cybercriminals can use it to specifically target users, particularly geographically. And these types of malware campaigns can be hard for defenders to track and take down, he said.
Recently, researchers at Trend Micro uncovered how the BlackCat ransomware-as-a-service group was developing a threat activity cluster using chosen keywords on the web pages of legitimate organizations to deploy malicious malware (see: BlackCat Uses Malvertising to Push Backdoor).
Sophos researchers also found campaigns targeting users searching for AI-related tools such as Midjourney and ChatGPT. "It's likely that criminals will continue to evolve their malvertising campaigns, and the security community should be on alert," Budd said.
The latest malvertising campaigns involving IcedID included lures related to communications platforms such as Microsoft Teams, Slack, Brave Browser and LibreOffice; IT administration tools such as WebEx, GoTo, AnyDesk and TeamViewer; and finance-related software.
In another campaign, researchers observed that a VHD container had been downloaded from a malicious site. When mounted, it revealed
Installer.bat, a batch file containing simple commands intended to raise execution privileges, add scanning exclusions for Windows Defender and download and execute a remote batch script and an executable.
Researchers found that the URLs in the batch script contained hash values identical to previous BatLoader campaigns. The initial access malware loader, BatLoader, allows threat actors to download more sophisticated malware such as the prominent commodity info stealer Raccoon Stealer and the backdoor Gozi/Ursnif.
Sophos researchers analyzed prominent criminal marketplaces and observed a significant number of advertisements for and discussion about SEO poisoning, malvertising and related services, going back to 2016.
Most recently, bad actors have listed compromised Google Ads accounts for sale. The researchers also observed the sale of so-called Black SEO services as part of a bundle, along with other malware-related listings.
"Marketplace users have a keen interest in SEO poisoning and malvertising," the researchers said. "This may be because malvertising offers several advantages to threat actors: It allows them to target specific regions, and because victims are already looking to download something, the probability of infection may increase."
Malvertising also bypasses email filters and can convince users to click a link or download and open an attachment.