“Hey, This Isn’t the Right Site!” Distribution of Malware Exploiting Google Ads Tracking

AhnLab SEcurity intelligence Center (ASEC) has recently detected a malware strain being distributed by using the Google Ads tracking feature. The confirmed cases show that the malware is being distributed by disguising itself as an installer for popular groupware such as Notion and Slack. Once the malware is installed and executed, it downloads malicious files and payloads from the attacker’s server. Below is the list of the file names that have been discovered so far.

• Notion_software_x64_.exe
• Slack_software_x64_.exe
• Trello_software_x64_.exe
• GoodNotes_software_x64_32.exe

This type of malware is being distributed in an installer form, usually as the Inno Setup installer or Nullsoft Scriptable Install System (NSIS) installer. Among them, the Notion_software_x64_.exe file was seen up until recently when users searched with the keyword “notion” on Google.

The attacker used Google Ads tracking to trick users into thinking they were accessing a legitimate website.
Google Ads tracking lets advertisers insert external analytic website addresses to collect and use their visitors’ access-related data to calculate ad traffic. The following figures are examples of the final URL and the tracking template URL that are entered into a Google Ad.

The following figure is an example of how the ad is shown to users. It contains a tracking URL which, as you can see, is not visible to the users. When users click on the banner, it redirects them to the tracking template URL instead of the final URL that they can see.

Google Ads tracking is originally used to analyze website traffic. However, this particular ad contains not an external statics site, but a malicious code distribution site.
The attacker’s ad has currently been deleted. When it was still active, clicking on the banner would take unsuspecting users to the address that would trick them into downloading a malicious file. The redirection address and the final landing page are shown below.

Redirection address

1. hxxps://www.googleadservices[.]com/pagead/aclk? sa=L&ai=DChcSEwjvxY_g38yEAxX96RYFHbN_DHwYABAAGgJ0bA&ase=2&gclid=CjwKCAiArfauBhApEiwAeoB7qFTSv58y3y V4nTuE_ptW9t-YIT1- Y_jH70VIcuKX3qsNu9u5d2TplRoCKDwQAvD_BwE&ohost=www.google.com&cid=CAESVeD21RQt4fRwNUkcEV8_EYQ96O MpQS8F7ZevrgG_k_jZewow_akDRbQ3vK-L7r7Z7yVUCyf4YKpyZrJCjoIkJjEcGbU1LviHlcWC8x9hRsFbAGy8Sbc&sig=AOD64_3Ho3r-SX_3edPZOWfLXPSWeCY1SQ&q&nis=6&adurl&ved=2ahUKEwibkYng38yEAxWScPUHHRJlCjAQ0Qx6BAgFEAE
2. hxxps://pantovawy.page[.]link/jdF1/?url=https://www.notion.so/pricing%3Fgad_source%3D1&id=8
3. hxxps://cerisico[.]net/

Final landing page

● hxxps://notione.my-apk[.]com

The final landing page was constructed similarly to the actual website of a groupware tool, prompting visitors to download and execute the malware.

Once it is executed, the malware uses websites that can save texts such as textbin or tinyurl to access the malicious payload addresses. The URLs that the attacker used to fetch the malicious payload address are shown below.

• hxxp://tinyurl[.]com/4jnvfsns
• hxxp://tinyurl[.]com/4a3uxm6m
• hxxps://textbin[.]net/raw/oumciccl6b
• hxxp://tinyurl[.]com/mrx7263e

When the above addresses are accessed, they respond by giving malicious payload download addresses as a reply. The URLs of these addresses are shown below.

• hxxps://slashidot[.]org/@abcDP.exe
• hxxps://yogapets[.]xyz/@abcmse1.exe
• hxxps://bookpool[.]org/@Base.exe
• hxxp://birdarid[.]org/@abcDS.exe

The Rhadamanthys malware (Infostealer type) is ultimately downloaded from the above address and injected in legitimate Windows files in the %system32% path. Since the malware is executed by a legitimate file, it can steal users’ private data without them knowing of its activity.

Legitimate Windows files that are targets for injection (%system32% path)

● dialer.exe
● openwith.exe
● dllhost.exe
● rundll32.exe

This Rhadamanthys malware distribution case has confirmed that attackers can use Google Ads to deceive users. In fact, all search engines that provide tracking to calculate ad traffic can be used to distribute malware. Users must pay attention to the URL that is seen upon accessing the website, not the URL that is shown on the ad’s banner.

[IOC]

[MD5s]
9437c89a5f9a51a4ff6d6076083fa6c9
12b6229551fbb1dcb2823bc8b611300f
33aa3073d148816e9e8de0af4f84582e
f0a3499f83d2d9066ab19d39b9af6696
2498997ab3e66e24bc08d044e0ef4418
f2590ece758eb32302c504ac3ff413f4
eef03c8cd2f27ead8b2d59d5cda4cf6e
9034cf58867961cde08a20cb1057c490
f7200603cb8aa9e2b544255ed848c9c0

[URLs]
hxxp://tinyurl[.]com/4jnvfsns
hxxp://tinyurl[.]com/4a3uxm6m
hxxps://textbin[.]net/raw/oumciccl6b
hxxp://tinyurl[.]com/mrx7263e
hxxp://tinyurl[.]com/253x7rnn
hxxps://slashidot[.]org/@abcDP.exe
hxxps://yogapets[.]xyz/@abcmse1.exe
hxxps://bookpool[.]org/@Base.exe
hxxp://birdarid[.]org/@abcDS.exe
hxxps://alternativebehavioralconcepts[.]org/databack/notwin.php
hxxps://pantovawy.page[.]link/jdF1/?url=https://www.notion.so/pricing%3Fgad_source%3D1&id=8
hxxps://cerisico[.]net/

[File Detection]
Trojan/Win.Agent.C5595056 (2024.02.29.02)
Trojan/Win.Agent.C5592526 (2024.02.23.02)
Trojan/Win.Agent.C5594794 (2024.02.28.03)
Trojan/Win.Rhadamanthys.R636740 (2024.02.27.00)

[Behavior Detection]
Injection/MDP.Event.M10231

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.