Menace actors are leveraging manipulated search outcomes and bogus Google adverts that trick customers who need to obtain reliable software program comparable to WinSCP into putting in malware as a substitute.
Cybersecurity firm Securonix is monitoring the continuing exercise beneath the title search engine optimisation#LURKER.
“The malicious commercial directs the consumer to a compromised WordPress web site gameeweb[.]com, which redirects the consumer to an attacker-controlled phishing web site,” safety researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov mentioned in a report shared with The Hacker Information.
The risk actors are believed to leverage Google’s Dynamic Search Advertisements (DSAs), which mechanically generates adverts primarily based on a web site’s content material to serve the malicious adverts that take the victims to the contaminated web site.
The last word purpose of the complicated multi-stage assault chain is to entice customers into clicking on the faux, lookalike WinSCP web site, winccp[.]web, and obtain the malware.
“Visitors from the gaweeweb[.]com web site to the faux winsccp[.]web web site depends on an accurate referrer header being set correctly,” the researchers mentioned. “If the referrer is inaccurate, the consumer is ‘Rickrolled‘ and is distributed to the notorious Rick Astley YouTube video.”
The ultimate payload takes the type of a ZIP file (“WinSCP_v.6.1.zip”) that comes with a setup executable, which, when launched, employs DLL side-loading to load and execute a DLL file named python311.dll that is current inside the archive.
The DLL, for its half, downloads and executes a reliable WinSCP installer to maintain up the ruse, whereas stealthily dropping Python scripts (“slv.py” and “wo15.py”) within the background to activate the malicious habits. It is also answerable for establishing persistence.
Each the Python scripts are designed to ascertain contact with a distant actor-controlled server to obtain additional directions that enable the attackers to run enumeration instructions on the host.
“Given the truth that the attackers have been leveraging Google Advertisements to disperse malware, it may be believed that the targets are restricted to anybody in search of WinSCP software program,” the researchers mentioned.
“The geoblocking used on the positioning internet hosting the malware means that these within the U.S. are victims of this assault.”
This isn’t the primary time Google’s Dynamic Search Advertisements have been abused to distribute malware. Late final month, Malwarebytes lifted the lid on a marketing campaign that targets customers trying to find PyCharm with hyperlinks to a hacked web site internet hosting a rogue installer that paves the way in which for the deployment of information-stealing malware.
Malvertising has grown in reputation amongst cybercriminals prior to now few years, with quite a few malware campaigns utilizing the tactic for assaults in latest months.
Earlier this week, Malwarebytes revealed an uptick in bank card skimming campaigns in October 2023 that is estimated to have compromised lots of of e-commerce web sites with an goal to steal monetary info by injecting convincing counterfeit cost pages.
