A new malvertising campaign has emerged, leveraging Google Promotions to steer users seeking popular software towards deceptive landing pages and subsequently distribute malicious payloads. This campaign, as reported by Malwarebytes, is distinctive in its approach, particularly in how it identifies users and delivers time-sensitive threats.
What is Malvertising?
Malvertising, a portmanteau of “malicious” and “advertising,” is a deceptive and harmful online advertising technique used by cybercriminals to spread malware and exploit unsuspecting users. It involves the insertion of malicious code or malware into legitimate online advertisements, which are then displayed on various websites, including reputable ones. The goal of malvertising is to infect users’ devices or direct them to malicious websites, often without their knowledge or consent.
What does the Malicious Malvertising Campaign Distributing the FakeBat Malware Do?
Exploiting Google Promotions
This sophisticated attack is tailored to individuals searching for software such as Notepad++ and PDF converters. It introduces deceptive advertisements on Google search results pages. Once clicked, it filters out automated bots and random IP addresses, skillfully redirecting visitors to a fraudulent website.
Identification and Fingerprinting
If the visitor is deemed a potential threat, they are redirected to a counterfeit site promoting the desired software while secretly fingerprinting the system to determine whether the request originates from a virtual machine. Users who fail this check are directed to the legitimate Notepad++ site, while potential targets receive a unique identifier for tracking and ensuring that each download is both unique and time-sensitive.
Delivery of Malware
The final stage of this malware campaign delivers a HTA (HTML Application) payload, establishing a connection to a remote domain, “mybigeye[.]icu,” on a custom port, and disseminating further malware.
Selecting Specific Targets
Jerome Segura, Director of Threat Intelligence, highlighted the use of evasion techniques by threat actors to bypass ad verification checks and focus on specific victim types. This revelation aligns with a similar campaign targeting users searching for the KeePass password manager.
Punycode for Deceptive Domains
This campaign uses malicious ads to direct victims to a domain employing Punycode, a special encoding that converts Unicode characters into ASCII (e.g., keepass[.]info versus ķeepass[.]info). The goal is to execute homograph attacks and entice victims into downloading malware.
Avoiding Testing Conditions
Victims who click on the ad are redirected through a cloaking service designed to exclude test environments, automated bots, and those not identified as genuine victims. Threat actors have established a temporary domain at keepasstacking[.]site, which serves as the final destination.
Users landing on the deceptive site are deceived into downloading a malicious installer, ultimately leading to the activation of FakeBat (also known as EugenLoader), a loader designed to download additional malicious code.
Removing the Threat
To remove this threat, follow these steps:
- Disconnect from the Internet: Cut off your internet connection to prevent further communication with malicious servers.
- Restart in Safe Mode: Restart your computer in Safe Mode to minimize the impact of the malicious software.
- Uninstall Suspicious Programs: In the Control Panel, uninstall any suspicious programs related to the threat.
- Delete Malicious Files: Manually delete any remaining malicious files and directories from your system.
- Remove Registry Entries: Access the Windows Registry Editor and remove entries associated with the threat.
- Run Anti-Malware Scans: Use reputable anti-malware software to perform a comprehensive system scan and remove any residual threats.
The malvertising campaign exploiting Google Promotions and employing Punycode for deceptive domains represents a growing sophistication in cyber threats. Staying informed, using reliable security software, being cautious online, keeping software updated, and regularly backing up your data are essential practices to protect your system from such threats in the future.