A malvertising campaign has been revealed that uses Google Ads to trick people into visiting fake landing pages and downloading additional payloads when they are looking for popular software. Malwarebytes came across this novel campaign, which uses a technique of user fingerprinting and time-sensitive payload distribution.
Through the use of misleading adverts, it especially targets visitors looking for Notepad++ and PDF converters on Google. These advertisements filter out bots and unwanted IP addresses when they are clicked, then reroute them to a bogus software promotional website. It simultaneously checks the system invisibly to see if the request came from a virtual machine.
Users are routed to the official Notepad++ website if they fail the system check. Potential targets do, however, obtain a special ID that is used for tracking as well as making sure each download is unique and time-sensitive.
The main payload is an HTA (HTML Application), which establishes a connection to a remote domain (“mybigeye[.]icu”) on a certain port and then spreads other malware.
Director of Threat Intelligence Jérôme Segura emphasized the effective use of evasion tactics that allow threat actors to go around ad verification checks and concentrate on particular victim demographics.
Armed with reliable malware delivery technology, malicious actors can concentrate on perfecting their false pages and creating malware payloads that are specifically tailored to their purposes. This information is related to a similar campaign that targets people looking for the KeePass password manager by using false advertisements that lead victims to a website that uses Punycode, a special encoding technique for converting Unicode characters into ASCII (for example, keepass[.]info vs. eepass[.]info).
According to Jérôme Segura, those who click on the advertisement will be led through a cloaking service designed to screen out sandboxes, bots, and anyone who isn’t considered to be a real victim. Keepasstacking[.]site serves as the threat actors’ temporary domain, which conducts the conditional redirect to the target page.
Visitors to the fake website are tricked into downloading a malicious installer, which then launches FakeBat, also known as EugenLoader. This loader’s purpose is to locate and run other harmful code.
Punycode exploitation is not wholly new, but it becomes more sophisticated when paired with malicious Google Ads, indicating more advanced search engine malvertising. In order to carry out a homograph attack and convince users to download malware, Punycode is used to register domain names that closely resemble those of trustworthy websites.