Risk actors are leveraging manipulated search outcomes and bogus Google adverts that trick customers who wish to obtain respectable software program akin to WinSCP into putting in malware as an alternative.
Cybersecurity firm Securonix is monitoring the continuing exercise beneath the title search engine optimisation#LURKER.
“The malicious commercial directs the person to a compromised WordPress web site gameeweb[.]com, which redirects the person to an attacker-controlled phishing web site,” safety researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov mentioned in a report shared with The Hacker Information.
The menace actors are believed to leverage Google’s Dynamic Search Adverts (DSAs), which mechanically generates adverts primarily based on a web site’s content material to serve the malicious adverts that take the victims to the contaminated web site.
The last word purpose of the advanced multi-stage assault chain is to entice customers into clicking on the faux, lookalike WinSCP web site, winccp[.]web, and obtain the malware.
“Visitors from the gaweeweb[.]com web site to the faux winsccp[.]web web site depends on an accurate referrer header being set correctly,” the researchers mentioned. “If the referrer is wrong, the person is ‘Rickrolled‘ and is shipped to the notorious Rick Astley YouTube video.”
The ultimate payload takes the type of a ZIP file (“WinSCP_v.6.1.zip”) that comes with a setup executable, which, when launched, employs DLL side-loading to load and execute a DLL file named python311.dll that is current inside the archive.
The DLL, for its half, downloads and executes a respectable WinSCP installer to maintain up the ruse, whereas stealthily dropping Python scripts (“slv.py” and “wo15.py”) within the background to activate the malicious habits. It is also liable for organising persistence.
Each the Python scripts are designed to determine contact with a distant actor-controlled server to obtain additional directions that permit the attackers to run enumeration instructions on the host.
“Given the truth that the attackers had been leveraging Google Adverts to disperse malware, it may be believed that the targets are restricted to anybody in search of WinSCP software program,” the researchers mentioned.
“The geoblocking used on the positioning internet hosting the malware means that these within the U.S. are victims of this assault.”
This isn’t the primary time Google’s Dynamic Search Adverts have been abused to distribute malware. Late final month, Malwarebytes lifted the lid on a marketing campaign that targets customers trying to find PyCharm with hyperlinks to a hacked web site internet hosting a rogue installer that paves the way in which for the deployment of information-stealing malware.
Malvertising has grown in reputation amongst cybercriminals prior to now few years, with quite a few malware campaigns utilizing the tactic for assaults in current months.
Earlier this week, Malwarebytes revealed an uptick in bank card skimming campaigns in October 2023 that is estimated to have compromised tons of of e-commerce web sites with an intention to steal monetary info by injecting convincing counterfeit cost pages.