Skip to main content
HashnodeFPT IS SecurityFPT IS Security

Command Palette

Search for a command to run...

Warning: Fake Utility Software Spreads Malware via Google Ads

Updated
2 min read
Warning: Fake Utility Software Spreads Malware via Google Ads
N
Nguyễn Văn Trung

After a period of seeming quiet, FPT Threat Intelligence has observed threat actors returning with malicious ads to distribute malware disguised as software downloads. The identified campaign has a significant impact, targeting utility software like Slack, Notion, Calendly, Odoo, Basecamp, and many others.

Campaign Details

Recently, a large-scale cyberattack campaign was discovered, targeting users of popular utility software. This campaign uses malvertising techniques on Google Ads to spread malware..

The campaign targets popular utility software like Slack, Notion, Calendly, Odoo, Basecamp, and many others, with both Windows and Mac users being targeted.

The attackers create fake Google ads using the identities of real businesses. These ads look very trustworthy, using the logos and official information of the targeted brands.

When users click on the ad, they are redirected through multiple steps to avoid automatic detection. Eventually, the victim reaches a fake website designed to trick them into downloading malware.

For Windows, the binary files are stored on GitHub.

  • For Mac, the payloads are stored on a specific domain, using PHP scripts with unique identifiers.

IOCs

Malicious hostnames:

creativekt[.]com
slack[.]designexplorerapp[.]net
odoo[.]studioplatformapp[.]net
notion[.]foreducationapp[.]com
slack[.]workmeetingsapp[.]com
clockify[.]turnrevenue[.]com
slack[.]aerodrame[.]finance

GitHub repositories:

github[.]com/09shubin/asdjh23/releases/download/nhehhh34/
github[.]com/fewefwfewfew/dwqfqwe/releases/download/fecfewwefewf3/

Hash Payloads (Windows):

9c8dadbb45f63fb07fd0a6b6c36c7aa37621bbadc1bcc41823c5aad1b0d3e93e
2b587ca6eb1af162951ade0e214b856f558cc859ae1a8674646f853661704211
e3557fb78e8fca926cdb16db081960efc78945435b2233fbd80675c21f0bc2e2
637b3ac5b315fd77b582dff2b55a65605f2782a717bed5aa6ef3c9722e926955
79017a6a96b19989bcf06d3ceaa42fd124a0a3d7c7fca64af9478e08e6c67c72
6eb1e3abf8a94951a661513bee49ffdbecfc8f7f225de83fa9417073814d4601
de7b5e6c7b3cee30b31a05cc4025d0e40a14d5927d8c6c84b6d0853aea097733
77615ea76aedf283b0e69a0d5830035330692523b505c199e0b408bcccd147b7

Hash Payloads (Mac):

b55f2cb39914d84a4aa5de2f770f1eac3151ca19615b99bda5a4e1f8418221c2
9dc9c06c73d1a69d746662698ac8d8f4669cde4b3af73562cf145e6c23f0ebdd

IP CnC Server:

85.209.11[.]155
193.3.19[.]251

Recommendations:

  • Be cautious of ads even when they appear in Google search results, and carefully check the destination URL before clicking any links.

  • Download software from official sources on the developer's official website, avoiding download links from ads or untrusted sources.

  • Install and maintain reliable antivirus software on all devices, and perform regular virus scans.

  • Conduct regular security awareness training for employees on how to recognize and avoid online threats.

References

Large scale Google Ads campaign targets utility software<https://www.malwarebytes.com/blog/news/2024/10/large-scale-google-ads-campaign-targets-utility-software\>

#threat-intelligence#repost

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

F

FPT IS Security

761 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.